×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
warrick2
New Member
Member since: ‎02-03-2015
‎06-05-2020
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎02-03-2015
View All

Re: How to use a lookup table field to use to quer...

by in Splunk Search
‎02-03-2015 02:06 PM
‎02-03-2015 02:06 PM
my query for the above lookups was (literally): earliest=10/01/2013:0:0:0 latest=2/2/2015:0:0:0 class=ARGUS_PASSAGE [ | inputlookup area.csv | fields area_number ] [ | inputlookup visitor.csv | fields Lab_ID ] | stats count by area_number, Lab_ID_id Returned 0 ... View more

Re: How to use a lookup table field to use to quer...

by in Splunk Search
‎02-03-2015 02:02 PM
‎02-03-2015 02:02 PM
Sure... Sample event: 30-Jan-2015 15:16:43, ARGUS_PASSAGE, NORMAL_PASSAGE, "NORMAL_PASSAGE, Station: 268, Unit Name: DOOR G, Portal: 2999, user 003835: Richard David Warrick, Badge: 2675(JO5), From Area 276, To Area 277, Biometrics: Not Configured", user 003835, badge 169739505, station 999, portal 2999, area 277, area 999, AFP 99, building 9999, badge 168234234 Visitor.csv Lab ID,Name,Column1,Column12 000360,Smith,Joe E.,Smith,Joe E. Area.csv area_number 2 5 89 ... View more

Re: How to use a lookup table field to use to quer...

by in Splunk Search
‎02-03-2015 01:22 PM
‎02-03-2015 01:22 PM
Ran without any errors... but also ran without any results, which I know there are some of for my visitor population. Thanks for the quick reply! Any other ideas? I did check both of my lookup tables for correct privileges, field names, etc. All looked ok. ... View more

How to use a lookup table field to use to query an...

by in Splunk Search
‎02-03-2015 12:49 PM
‎02-03-2015 12:49 PM
I'm a Splunk beginner, bear with me.... I am querying a system log file of access events. I have two lookup tables defined: Visitors and Areas. Visitors table has a 6 alphanumeric userid and the Areas table has a 3 digit area number. There are 129 userids in the visitors lookup table and 50+ area_numbers in the areas table Basically I am trying to query an access log on our system to produce a report that tells me if any of the Visitors in the lookup table accessed any of the areas in the areas table, and if so, how many times they accessed any particular area. I have started with: index=events sourcetype=PASSAGES 38D999 [ | inputlookup area.csv | fields area_number ] | stats count by area_number This requires me to run the query with a manually entered visitor ID (38D999). But I can't come up with how to have the query use my Visitor lookup table to get each individual userid and run the query to get the number of accesses each user made in the areas table. Is there a query that can go sequentially through the visitor table, get the first userid, run the query against the areas table and repeat for all 129 visitors? Sample event: 30-Jan-2015 15:16:43, ARGUS_PASSAGE, NORMAL_PASSAGE, "NORMAL_PASSAGE, Station: 268, Unit Name: DOOR G, Portal: 2999, user 003835: Richard David Warrick, Badge: 2675(JO5), From Area 276, To Area 277, Biometrics: Not Configured", user 003835, badge 169739505, station 999, portal 2999, area 277, area 999, AFP 99, building 9999, badge 168234234 Visitor.csv Lab ID,Name,Column1,Column12 000360,Smith,Joe E.,Smith,Joe E. Area.csv area_number 2 5 89 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM