Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search from a static lookup?

CStroud
Engager
‎09-05-2023 04:02 AM

Hi,

I'm trying to create a table that contains a list of tasks. The list is static and stored in a lookup table called tasks.csv.

So far I have the following search:

 

 

index=one OR index=two | rex field=_raw "^[0-9-:.\s]*\w+\s+(?<task>.*)" | stats count by task
| search [|inputlookup tasks.csv ]

 

 

This creates me a table that looks like this:

task count
task_a 1
task_b 1
task_c 1
task_d 1

 

However, if a task in my static list does not appear in the search results, it does not show in the table.
I want the table to contain the whole list of tasks, regardless of whether they appear in the search results or not.

i.e.

task count
task_a 1
task_b 1
task_c 1
task_d 1
task_e 0
task_f 0

 

Any ideas on how I can do this?

The closest I've got is using a join.. which does work, but does not allow for a wildcard, meaning I'd need to specify the whole 'task'.

 

 

|inputlookup tasks.csv 
| join type=left task [ | search index=one OR index=two | rex field=_raw "^[0-9-:.\s]*\w+\s+(?<task>.*)" | stats count by task] 
| fillnull value=0 task
| table task count

 

 

 

Would appreciate any thoughts or suggestions.
Thanks in advance.

Labels (4)
Labels
Tags (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2023 04:17 AM 
index=one OR index=two | rex field=_raw "^[0-9-:.\s]*\w+\s+(?<task>.*)" | stats count as index_count by task
| eval location = 1
| append
  [|inputlookup tasks.csv | eval location = 2 ]
| stats sum(location) as location by task
| fillnull value=0 index_count

If location = 1, the task is in the indexes but not in the lookup

If location = 2, the task is in the lookup but not in the indexes

If location = 3, the task is in both the lookup and the indexes

0 Karma
Reply

CStroud
Engager
‎09-05-2023 04:29 AM

Thanks for the quick reply!

I've also added the following to the end:

| search location=3 OR location=2
| eval status=if(location=2,"Waiting...","Completed")
| table message status

This now lists all of my defined tasks and tells me whether the task has run or not, based on whether the event is returned by the search.

How do include wildcards?
The task from my indexed data looks like this: "task_a has run successfully with return code x after y minutes"
My lookup task is simply "task_a has run successfully"
So I'd like the search to allow for task_a has run successfully*

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2023 05:30 AM

Change your rex so that only the first part is extracted into task

| rex field=_raw "^[0-9-:.\s]*\w+\s+(?<task>.* has run succesfully)"
0 Karma
Reply
Get Updates on the Splunk Community!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...