Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

use inputlookup with field index and count as sub search

bapun18
Communicator
‎09-04-2019 05:55 AM

I have an inputlookup which have 2 fields index and count, I need to create an alert so that alert will trigger when we have greater value of real index values mentioned over count field in lookup.

I have used following query but I want to get pass the index name as a sub search to inputlookup.

|inputlookup idx_myvdf.csv | table index | stats count by index | where count  > 0

I have tried below query as well, but still no result, want to pass index name mentioned under lookup and their actual count and then I want to put where count > actual_count

|tstats c by index where index[|inputlookup idx_myvdf.csv | rename index AS actual_index | fields actual_index] | table indexcount actual_index actual_count

Please suggest it's urgent
alt text

img-20190828-wa0017.jpg
Preview file
64 KB
0 Karma
Reply

renjith_nair
Legend
‎09-04-2019 09:04 AM

@bapun18,

Try

| tstats count where (index=* OR index=_*) by index
| lookup idx_myvdf.csv index OUTPUT count as threshold
| appendcols [|inputlookup idx_myvdf.csv|where index="default"|fields count|rename count as default|filldown default
| eval threshold=coalesce(threshold,default)|where count > threshold
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top