How to update a lookup file with top command resul...

srinivasup · ‎03-18-2017

Hi,

I have lookup file with host and count fields as below

host.csv

host  count
-----------------
host1 10
host2 20
host3 30
host4 40
host5 50
host6 60
host7 70

Now i will get top 5 host counts from log events as below

index=main | top 5 host | table host count.

result:

host1 2
host2 3
host3 4
host4 5
host5 6

Now i want to update these top command results in csv and sum them and get final top 5 host count.
Final output should be in lookup file for further usage:

host   count
-----------------
host1 12
host2 23
host3 34
host4 45
host5 56
host6 60
host7 70

niketn · ‎03-25-2017

@srinivasup... Were you able to try out any one of the following options?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

woodcock · ‎03-18-2017

Like this:

index=main | top 5 host | table host count | appendpipe [|inputcsv host.csv] | stats sum(count) AS count BY host | outputcsv host.csv

niketn · ‎03-18-2017

Try something like following with accum. Streamstats will also allow you to achieve the same.

index=main [inputlookup host.csv | table sourcetype]
| lookup host.csv host OUTPUT count as csvCount
| stats count as indexCount values(csvCount) as csvCount by sourcetype
| sort -indexCount 
| eval counter=1
| accum counter
| eval count=if(counter<=5,indexCount+csvCount,csvCount)
| table sourcetype count
| outputlookup host.csv

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How to update a lookup file with top command results?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases