Solved: Using a value from a lookup table

jravida · ‎06-26-2014

Hi folks,

I have a lookup table I created that is derived from a saved search, and it counts the computers on the network each day. It is only a single line with the host count (host_count) and the time (search_time) it was done. I want to use that value in an equation, but I am having a hard time invoking it.

I want it to look like:
|stats count by patched_host | eval percent = (1-((host_count - count)/host_count))
So this would show me the percent of hosts patched.

So my question is how to reference the lookup table that only has two values, host_count and time.

somesoni2 · ‎06-26-2014

Try something like this

your base search  |stats count by patched_host | eval host_count=[|inputlookup dailyhosts.csv | return $host_count]| eval percent = (1-((host_count - count)/host_count))  | fields - host_count

View solution in original post

somesoni2 · ‎06-26-2014

Try something like this

your base search  |stats count by patched_host | eval host_count=[|inputlookup dailyhosts.csv | return $host_count]| eval percent = (1-((host_count - count)/host_count))  | fields - host_count

jravida · ‎06-26-2014

You are a Splunk god. I gave you credit to my boss so he doesn't start thinking I'm smart.

Using a value from a lookup table

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio