Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to add an extra row based on a pre-defined list of stores if the stores don't exist in the search results?

wesbrowntech
Engager
‎06-17-2019 02:50 PM

I've searched around and I've been having a hard time finding an answer to this probably due to how I'm phrasing the issue.

We have a search that returns logs with the field Store= in it. After transforming the data we end up with a table that looks like of like this:

Store | Result 1 | Result 2 | Result 3
123 | 4 | 15 | 2
231 | 5 | 5  | 34
987 | 3 | 2 | 1

The issue I'm having is that lets say that Store 987 has 0 results, it won't be returned because there will be no logs to build that row off of. Is there a way to add an extra row based on a pre-defined list of stores if the stores don't exist in the search results?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

stuartidelta01
Path Finder
‎06-17-2019 03:54 PM

Add a lookup file - stores.csv - that just lists you store numbers.

then use:

|inputlookup stores.csv | join Store type=outer [search <your-search>] | fillnull

The following search worked for me (I added a csv list of dummy hostname + one that matched my local server name into hosts_text.csv)

|inputlookup hosts_test.csv|join hostname type=outer [search index=_internal |stats count by host|rename host as hostname] | fillnull

Example hosts_test.csv for above search:

hostname
myserver
localhost
notaserver

Results:

count     hostname
4845       myserver
0         localhost
0         notaserver

View solution in original post

Reply
Solved! Jump to solution
Solution

stuartidelta01
Path Finder
‎06-17-2019 03:54 PM

Add a lookup file - stores.csv - that just lists you store numbers.

then use:

|inputlookup stores.csv | join Store type=outer [search <your-search>] | fillnull

The following search worked for me (I added a csv list of dummy hostname + one that matched my local server name into hosts_text.csv)

|inputlookup hosts_test.csv|join hostname type=outer [search index=_internal |stats count by host|rename host as hostname] | fillnull

Example hosts_test.csv for above search:

hostname
myserver
localhost
notaserver

Results:

count     hostname
4845       myserver
0         localhost
0         notaserver
Reply
Solved! Jump to solution

wesbrowntech
Engager
‎06-21-2019 12:27 PM

This works great but its really slow. I'll poke at it and see if there is a way to speed it up. Thanks very much!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...