Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Merging result of inputlookup file with subsearch to get required results

SunilMaharishi
Path Finder
‎09-19-2018 09:36 AM

i have one csv file which contains device name location data , i need to get count of all the device name location wise.
and then i am trying to get malware count and spyware count on the infected machines for one of indexed data as below but this search is not working "" Error in 'stats' command: The argument 'index=abc' is invalid"" if i remove inputlookup first line i will get results but i wont get total no of computers . how should i merge these two requirement .

|inputlookup xyz.csv | stats count("Device Name") as Total_Computers by Location
index=abc | search TMCM:SLF_INCIDENT
|lookup xyz.csv "Device Name" as nodename OUTPUT Location
| stats count(nodename) as InfectedComputers count(signature) as MalwareCount
count(Spyware) as Spywarecount by Location
| table Total_Computers,Location,InfectedComputers, MalwareCount, Spywarecount

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harishalipaka
Motivator
‎09-20-2018 05:07 AM

hi @SunilMaharishi
try this

|inputlookup xyz.csv | stats count("Device Name") as Total_Computers by Location|appendcols [search index=abc | search TMCM:SLF_INCIDENT
|lookup xyz.csv "Device Name" as nodename OUTPUT Location
| stats count(nodename) as InfectedComputers count(signature) as MalwareCount 
count(Spyware) as Spywarecount by Location ]
| table Total_Computers,Location,InfectedComputers, MalwareCount, Spywarecount
Thanks
Harish

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

harishalipaka
Motivator
‎09-20-2018 05:07 AM

hi @SunilMaharishi
try this

|inputlookup xyz.csv | stats count("Device Name") as Total_Computers by Location|appendcols [search index=abc | search TMCM:SLF_INCIDENT
|lookup xyz.csv "Device Name" as nodename OUTPUT Location
| stats count(nodename) as InfectedComputers count(signature) as MalwareCount 
count(Spyware) as Spywarecount by Location ]
| table Total_Computers,Location,InfectedComputers, MalwareCount, Spywarecount
Thanks
Harish
0 Karma
Reply
Solved! Jump to solution

SunilMaharishi
Path Finder
‎09-20-2018 06:25 AM

i tried using append command and that is giving correct result , little bit modified the search though

0 Karma
Reply
Solved! Jump to solution

SunilMaharishi
Path Finder
‎09-20-2018 06:25 AM

i tried using this , however i am getting the total computers and location but" InfectedComputers, MalwareCount, Spywarecount " is blank and not having any values

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...