Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

use inputlookup with field index and count as sub search

bapun18
Explorer
‎09-04-2019 05:55 AM

I have an inputlookup which have 2 fields index and count, I need to create an alert so that alert will trigger when we have greater value of real index values mentioned over count field in lookup.

I have used following query but I want to get pass the index name as a sub search to inputlookup.

|inputlookup idx_myvdf.csv | table index | stats count by index | where count  > 0

I have tried below query as well, but still no result, want to pass index name mentioned under lookup and their actual count and then I want to put where count > actual_count

|tstats c by index where index[|inputlookup idx_myvdf.csv | rename index AS actual_index | fields actual_index] | table indexcount actual_index actual_count

Please suggest it's urgent
alt text

0 Karma
Reply
Highlighted

Re: use inputlookup with field index and count as sub search

renjith_nair
SplunkTrust
SplunkTrust
‎09-04-2019 09:04 AM

@bapun18,

Try

| tstats count where (index=* OR index=_*) by index
| lookup idx_myvdf.csv index OUTPUT count as threshold
| appendcols [|inputlookup idx_myvdf.csv|where index="default"|fields count|rename count as default|filldown default
| eval threshold=coalesce(threshold,default)|where count > threshold
0 Karma
Reply