Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

One sourcetype, one lookup csv file, three count

flora123
Path Finder
‎01-05-2011 09:56 AM

Hello, I want to show three digits.

index="test" sourcetype="count" [ inputlookup AA_list | fields AA_List] | stats count as AA_count
index="test" sourcetype="count" [ inputlookup BB_list | fields BB_List] | stats count as BB_count
index="test" sourcetype="count" [ inputlookup CC_list | fields CC_List] | stats count as CC_count

I know I can merge them with 'join'.

But is it possible to merge them into one search with other commands?

Thanks a lot. 😃

Tags (1)
0 Karma
Reply

flora123
Path Finder
‎01-17-2011 07:35 AM

Sorry, I just want to let it easy to read.I do not do well.My English is not good enough.

In fact,the lookup file only have one value.

My search is just like this.

 index="test" sourcetype="count" | stats count as ALL_count | join type=outer max=0 overwrite=false [search index="test" sourcetype="count" [ inputlookup name_list | fields name_List | rename name as final]  | stats count as Intra_count] | join type=outer max=0 overwrite=false [search index="test" sourcetype="count" NOT [ inputlookup name_list | fields name_List | rename name as final] | stats count as Extra_count]

It can do well, but I want to know that could any other way do this?

Thanks a lot. 😃

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎01-14-2011 09:02 AM

Can you post the fields and some sample content from the three lookup files?

Until then this is really going out on a limb... So take this with a grain of salt.

But I'm a little suspicious of why there are three separate lookups in the first place, given that you seem to be using them on identical data.

You might be better off merging them into a single lookup, but adding another field to the lookup? I'm making a couple assumptions here, notably that the 3 lookups are all keying off the same primary field, but let's say we merged them and we called the new field 'type' and it's values were 'A', 'B', and 'C'. And say the primary field of the three lookups is called somefield

index="test" sourcetype="count" | lookup somefield master_list | stats count by type

Kind of a shot in the dark. Please post the fields from the lookups though and I'm sure I or someone else can help more.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...