Splunk Search

I created a lookup and mapped to the logs, but how do I get the count of another field from a different log into my table?

Bhargav99
New Member
index=main sourcetype=mysourcetype| stats count by X | lookup data.csv cad as X |table name, count, login | where name!=""|rename name as Application|rename count as "# of sessions"

I want to show this below with the "Login", but that field is in a different log. How do I get this? I need to show count of logins.
Format Preview

Apn # of sessions    Login 
Se        57     
Vr        18     
Vce      24  
Vint       1017  
Wiint     6972   
Google   6580    
BaNCE    29896   
Foy      16  
JIA    17768     
Sta     2355     
ip       135     
Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

index=main sourcetype=mysourcetype OR sourcetype=othersourcetype| stats count(eval(sourcetype=mysourcetype)) AS SessionCount count(eval(sourcetype=othersourcetype)) AS LoginCount by X

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

index=main sourcetype=mysourcetype OR sourcetype=othersourcetype| stats count(eval(sourcetype=mysourcetype)) AS SessionCount count(eval(sourcetype=othersourcetype)) AS LoginCount by X
0 Karma

Bhargav99
New Member

I got the count but the thing is It is from the same source type. what is the query for that ? and will it automatically map the lookup?

I need a table
Application # of sessions Count(login)

0 Karma

woodcock
Esteemed Legend

You have not shared enough detail in order to give you a custom-fit answer. We do not know what fields are created by your lookup. We do not know what X is or how Apn fits into anything or even if Apn is a field. The search that I gave you is enough of a baseline for you to build out what you are asking and that is much as I can say without much more detail from you.

0 Karma

Bhargav99
New Member

Thank you !! I got that.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...