Solved: How to use inputlookup count of results as a filte...

sergiupopescu · ‎08-26-2015

So I have a search which pulls the number of servers in a farm that have the "X" application installed on them. Now I have a csv file I do a lookup into, which keeps the server status (Production/Testing/etc).

What I did was:
- to get from the main search a result which counts the number of servers where it is installed
- it displays Application Name | count of servers which have it installed

What I want to do now is to count the number of results from within a lookup and compare the results described above in the main search with this result, if there are differences, I woul like to keep from the main search only the applications which are not installed on the same
number of servers as the inputlookup results.

SO:
Main search:

{blablabla} | stats dc(host) by ApplicationName, Version

Subsearch would be:

| inputlookup *lookup table* | search Destination=*"PROD"* | stats count(host)

(which in this particular case returns 89)
And I need to compare the number of servers which have the same ApplicationName on them with 89 resulted above

Any help is highly appreciated

somesoni2 · ‎08-26-2015

Try something like this

{blablabla} | stats dc(host) as by ApplicationName, Version | eval ServerCountLookup=[ | inputlookup lookup table | search Destination="PROD" | stats count(host) as count | return $count] | your comparison here...

View solution in original post

somesoni2 · ‎08-26-2015

Try something like this

{blablabla} | stats dc(host) as by ApplicationName, Version | eval ServerCountLookup=[ | inputlookup lookup table | search Destination="PROD" | stats count(host) as count | return $count] | your comparison here...

sergiupopescu · ‎08-27-2015

Works perfect, thank you!

How to use inputlookup count of results as a filter for the main search?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life