Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I created a lookup and mapped to the logs, but how do I get the count of another field from a different log into my table?

Bhargav99
New Member
‎08-03-2015 02:15 PM 
index=main sourcetype=mysourcetype| stats count by X | lookup data.csv cad as X |table name, count, login | where name!=""|rename name as Application|rename count as "# of sessions"

I want to show this below with the "Login", but that field is in a different log. How do I get this? I need to show count of logins.
Format Preview

Apn # of sessions    Login 
Se        57     
Vr        18     
Vce      24  
Vint       1017  
Wiint     6972   
Google   6580    
BaNCE    29896   
Foy      16  
JIA    17768     
Sta     2355     
ip       135
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-03-2015 02:23 PM

Like this:

index=main sourcetype=mysourcetype OR sourcetype=othersourcetype| stats count(eval(sourcetype=mysourcetype)) AS SessionCount count(eval(sourcetype=othersourcetype)) AS LoginCount by X

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-03-2015 02:23 PM

Like this:

index=main sourcetype=mysourcetype OR sourcetype=othersourcetype| stats count(eval(sourcetype=mysourcetype)) AS SessionCount count(eval(sourcetype=othersourcetype)) AS LoginCount by X
0 Karma
Reply
Solved! Jump to solution

Bhargav99
New Member
‎08-03-2015 02:38 PM

I got the count but the thing is It is from the same source type. what is the query for that ? and will it automatically map the lookup?

I need a table
Application # of sessions Count(login)

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-03-2015 02:51 PM

You have not shared enough detail in order to give you a custom-fit answer. We do not know what fields are created by your lookup. We do not know what X is or how Apn fits into anything or even if Apn is a field. The search that I gave you is enough of a baseline for you to build out what you are asking and that is much as I can say without much more detail from you.

0 Karma
Reply
Solved! Jump to solution

Bhargav99
New Member
‎08-03-2015 02:55 PM

Thank you !! I got that.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...