Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

lookup table,

kishan2356
Explorer
‎07-08-2021 12:48 PM

Hi have a report that is sent of a daily basis.  The report provides a count for every one hour bucket. Sometimes  get 0s for a few of those hourly buckets. Instead of 0s being reported I would like for my query to replace the 0s with data from my lookup file.

index=xxx sourcetype=xxx | fields success_count | stats sum(success_count) as success_count by _time
| bin _time span=1h| stats max(success_count) as max_count by _time
| makecontinuous
| fillnull value=0
| inputlookup append=t "app_nullentries.csv"                                                                                                                                  | eval max_count=case(max_count="0" and !isnull(max_login_value), max_login_value, 1=1, max_login)

I need help getting my query to run the logic: if max_count=0, than get data from the the app_nullentries.csv and replace 0s with what is stated in the file. The file has the exact Date and time , and what value to replace the 0s with.

 

Labels (2)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...