Hi splunk fellows,
Struggling a bit with the map command I never used before :
| inputlookup myfile1.csv
| append
[| inputlookup myfile2.csv ]
| where status!="H"
| eventstats dc(status) as status_cnt by site_code
| where status_cnt=1 and status="C"
| table site_code
--> until here everything looks fine
| map search="|inputlookup myfile1.csv | where site_code=$site_code$"
don't try too much to make sense out of it as I simplified the query but basically I'm filtering out events to get the ones I'm interested in and I create a table containing my site_code values. So far so good. Now I would like to use these values to select some specific entries in my lookup table with the map command but I'm not getting any results. It seems the $site_code$ variable is not filled in properly.
Any advice ?
Thank you
You would need to put $site_code$
in quotes, like this:
| inputlookup myfile1.csv
| append
[| inputlookup myfile2.csv ]
| where status!="H"
| eventstats dc(status) as status_cnt by site_code
| where status_cnt=1 and status="C"
| table site_code
| map [|inputlookup myfile1.csv | where site_code="$site_code$"]
I changed search="..."
to [...]
to make this easier to read.
You could combine the where
with the inputlookup
, as well:
| inputlookup myfile1.csv
| append
[| inputlookup myfile2.csv ]
| where status!="H"
| eventstats dc(status) as status_cnt by site_code
| where status_cnt=1 and status="C"
| table site_code
| map [|inputlookup myfile1.csv where site_code=$site_code$]
Note that this version doesn't require double quotes around $site_code$
. This is because the where
clause of inputlookup
assumes the right hand side will be a value, whereas the where
command allows you to pass field names on the right hand side, or values if in quotes. So your | where
thought you were saying | where <fieldA>=<fieldB>
instead of |where <fieldA>=<valueB>
.
can you try
| inputlookup myfile1.csv
| append
[| inputlookup myfile2.csv ]
| where status!="H"
| eventstats dc(status) as status_cnt by site_code
| where status_cnt=1 and status="C"
| table site_code
--> until here everything looks fine
| map search="|inputlookup myfile1.csv | where site_code=\"$site_code$\""
let me know if this works!
This is working, many thanks for this. Actually my aim is to compare 2 lookup tables to find the list of site_codes I'm interested in. Then, based on this list, I need to modify some entries having the same site_code in the first lookup table.
Sorry for not having accepted your answer, I thought it was possible to accept several answers but apparently it is not. Thank you anyway for your help.
You would need to put $site_code$
in quotes, like this:
| inputlookup myfile1.csv
| append
[| inputlookup myfile2.csv ]
| where status!="H"
| eventstats dc(status) as status_cnt by site_code
| where status_cnt=1 and status="C"
| table site_code
| map [|inputlookup myfile1.csv | where site_code="$site_code$"]
I changed search="..."
to [...]
to make this easier to read.
You could combine the where
with the inputlookup
, as well:
| inputlookup myfile1.csv
| append
[| inputlookup myfile2.csv ]
| where status!="H"
| eventstats dc(status) as status_cnt by site_code
| where status_cnt=1 and status="C"
| table site_code
| map [|inputlookup myfile1.csv where site_code=$site_code$]
Note that this version doesn't require double quotes around $site_code$
. This is because the where
clause of inputlookup
assumes the right hand side will be a value, whereas the where
command allows you to pass field names on the right hand side, or values if in quotes. So your | where
thought you were saying | where <fieldA>=<fieldB>
instead of |where <fieldA>=<valueB>
.
I had a typo in my searches. where I had search=[
. When you use [
to define your map search instead of "
you don't also include the search=
component.
This one is working too. thanks for the explanation
Despite your assertion that we shouldn't "try too much to make sense out of it", I'm going to ask that you provide some basic details regarding what the data looks like and what you want to accomplish. The reason for this is map
is a bad idea in most cases. I think you'd be better served trying to find a better search, rather than troubleshooting this one.
That said, academic exercises (ie solving this one even though you may not use the answer) are still great teachers.