Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

inputlookup(csv) with Distinct_count

priya777
New Member
‎04-07-2020 12:56 PM

Hi There!
I have created a list of 2000 names in a CSV file. I am trying to get the phone numbers of these 2000 people using the below query,

index=*** event=contact [ | inputlookup names.csv | fields names ] | stats dc(phoneNumber) by names | fillnull value=0 names

When I do the distinct count I only get the names who are registered, but I need the remaining names - dc(phone_numbers) as 0, when I run the query.

0 Karma
Reply

to4kawa
Ultra Champion
‎04-08-2020 03:43 PM 
 index=yours event=contact 
| inputlookup append=t names.csv 
| stats dc(phoneNumber) by names

names.csv:

names
johndoo
hoobar

How about this. If your csv is not this format, fix it.

0 Karma
Reply

priya777
New Member
‎04-08-2020 03:21 PM

Thanks for your reply, but the above query is not taking the inputs from the file

0 Karma
Reply

manjunathmeti
SplunkTrust
SplunkTrust
‎04-07-2020 10:11 PM

Your query filters index=*** event=contact with names exist in lookup file. Use OR in the search like below.

index=*** event=contact OR [ | inputlookup names.csv | fields names ] | stats dc(phoneNumber) by names | fillnull value=0 names
0 Karma
Reply

priya777
New Member
‎04-07-2020 01:02 PM

@DalJeanis Please suggest

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...