Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit an inputlookup search that returns mor...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TheJagoff
Communicator
12-06-2016
08:12 AM
Hello (again),
I have a lookup table that has 17 fields in it and 200 total records, but of interest to me is a table named "pub_table" that I want to match against records in my index=prod sourcetype=stats table_name field - which has about 1500 unique table_name entries.
When I perform the following
|inputlookup assets_mapping_flow.csv| sort pub_table|table pub_table
the data I receive is along the lines of (I'm masking the data):
flow_01
flow_02
flow_03
...
flow_200
When I do the following search for my report:
index=prod sourcetype=stats [|inputlookup assets_mapping_flow.csv |return 200 $pub_table] | stats dc(table_name) by table_name
this is what I receive on the report
flow_1
flow_1a
flow_1a_test
flow_2
flow_2a
I only want to see flow_1, flow_2, flow_3 and so on, so it appears that I'm getting anything that contains those expressions.
Question - how do I correct this?
Many thanks.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
12-06-2016
08:20 AM
try something like:
index=prod sourcetype=stats [|inputlookup assets_mapping_flow.csv|rename pub_table as table_name |return 200 table_name] | stats dc(table_name) by table_name
or
index=prod sourcetype=stats [|inputlookup assets_mapping_flow.csv|rename pub_table as table_name |table table_name|format] | stats dc(table_name) by table_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
12-06-2016
08:20 AM
try something like:
index=prod sourcetype=stats [|inputlookup assets_mapping_flow.csv|rename pub_table as table_name |return 200 table_name] | stats dc(table_name) by table_name
or
index=prod sourcetype=stats [|inputlookup assets_mapping_flow.csv|rename pub_table as table_name |table table_name|format] | stats dc(table_name) by table_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TheJagoff
Communicator
12-06-2016
08:28 AM
Yes works great, going with the first option for my case.
Thank you!
Get Updates on the Splunk Community!
Announcing Scheduled Export GA for Dashboard Studio
We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...
Extending Observability Content to Splunk Cloud
Watch Now!
In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...
