Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

table lookup issues

loveforsplunk
Explorer
‎05-17-2017 10:47 PM

I have a lookup table named lookupfile.csv
My file looks like this:
col1,col2,col3,col4
100,300,500,yes
200,400,600,yes1
300,100,500,yes3

My search is :
basesearch | lookup mylookup col1 , col2 , col3 OUTPUT col4 | stats count by col1, col2, col3, col4

For each event where all the input values matches, there will be a resulting field, col4, available for that event.
So if I have field1=100 AND field2=300 AND field3=500 then I will get back col4=yes or yes1 or yes2 based on the combination.

Now , suppose splunk gets a new combination for the base search whose details are not listed in the lookup file. Can I get the combination in statistics tab keeping the col4 field as blank ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dineshraj9
Builder
‎05-17-2017 11:01 PM

Before the stats command add a fillnull for field col4 -

basesearch | lookup mylookup col1 , col2 , col3 OUTPUT col4 | fillnull value="" col4 | stats count by col1, col2, col3, col4

I would suggest adding a character and not a blank space to make the output easier to read -

| fillnull value="-" col4

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dineshraj9
Builder
‎05-17-2017 11:01 PM

Before the stats command add a fillnull for field col4 -

basesearch | lookup mylookup col1 , col2 , col3 OUTPUT col4 | fillnull value="" col4 | stats count by col1, col2, col3, col4

I would suggest adding a character and not a blank space to make the output easier to read -

| fillnull value="-" col4
0 Karma
Reply
Solved! Jump to solution

loveforsplunk
Explorer
‎05-17-2017 11:56 PM

Ahhh.. Thank You! I was doing the same thing of adding fillnull command but my mistake was I was adding it at the end of the search string. Thanks buddy!

0 Karma
Reply
Solved! Jump to solution

dineshraj9
Builder
‎05-17-2017 11:58 PM

Sure.. no problem 🙂

0 Karma
Reply
Solved! Jump to solution

loveforsplunk
Explorer
‎05-18-2017 12:11 AM

I have another question .. do i have to update my csv file every time I get a new error or is there any other way that can also automatically do this . Just asking out of curiosity.

0 Karma
Reply
Solved! Jump to solution

dineshraj9
Builder
‎05-18-2017 12:15 AM

If you can form a query to identify new error and populate required fields, you can have another search running to update your lookup file with these fields using outputlookup command.

basesearch | lookup mylookup col1 , col2 , col3 OUTPUT col4 | search NOT col4=*

This will give you where there are no matches in the lookup and the fields that may have to be updated.

0 Karma
Reply
Solved! Jump to solution

loveforsplunk
Explorer
‎05-20-2017 09:48 PM

Thank You!!

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...