Hi All,
I have to pull the results in my splunk query basing on a type, I am able to pull the results using the type as shown below.
index=app sourcetype=log4j | stats count as total by type
However this type in not user readable, so, I had created a lookup to map the type with user readable data as key pair like show below.
Type, APP_NAME
Type1,Mapping1
Type2,Mapping2
Type3,Mapping3
This is not giving me out put when I use below query.
index=app sourcetype=log4j | stats count as total by type|lookup mapping_file.csv type as type_data OUTPUT APP_NAME as APP_NAME_data |replace type with APP_NAME_data in type | table APP_NAME_data,count
can you anyone let me know, what mistake I am doing here.
You are probably getting an error; what is that error?
Your reference to using lookup mapping_file.csv makes me wonder if you have the csv file set up correctly. Please double-check your work carefully, following the Configure CSV Lookups section in the docs.
If you end up with a lookup named mapping_file then it's possible the syntax you need is as follows.
index=app sourcetype=log4j
| stats count as total by type
| lookup mapping_file Type AS type OUTPUT APP_NAME as APP_NAME_data
| table APP_NAME_data,count
Pay special attention to AS clauses in lookup - I find them constantly confusing and have to carefully refer back to the docs. The ones after OUTPUT/OUTPUTNEW are fine, it's the ones before that are logically backwards from the way I would prefer them.