inputlookup(csv) with Distinct_count

priya777 · ‎04-07-2020

Hi There!
I have created a list of 2000 names in a CSV file. I am trying to get the phone numbers of these 2000 people using the below query,

index=*** event=contact [ | inputlookup names.csv | fields names ] | stats dc(phoneNumber) by names | fillnull value=0 names

When I do the distinct count I only get the names who are registered, but I need the remaining names - dc(phone_numbers) as 0, when I run the query.

to4kawa · ‎04-08-2020

 index=yours event=contact 
| inputlookup append=t names.csv 
| stats dc(phoneNumber) by names

names.csv:

names
johndoo
hoobar

How about this. If your csv is not this format, fix it.

priya777 · ‎04-08-2020

Thanks for your reply, but the above query is not taking the inputs from the file

manjunathmeti · ‎04-07-2020

Your query filters index=*** event=contact with names exist in lookup file. Use OR in the search like below.

index=*** event=contact OR [ | inputlookup names.csv | fields names ] | stats dc(phoneNumber) by names | fillnull value=0 names

priya777 · ‎04-07-2020

@DalJeanis Please suggest

Are you a member of the Splunk Community?