Re: Custom Splunk query

Ash1 · ‎03-16-2024

|mstats sum(faliure.count) as Failed where index=metric-logs by service application_codes

Form the above query i am getting the results of service and application_codes.

But my requirement is to get the application_codes from a csv file and from only type=error1

below is the csv file

yuanliu · ‎03-16-2024

For this problem, using the lookup in subsearch is more direct and potentially more efficient.

|mstats sum(faliure.count) as Failed where index=metric-logs by service application_codes
| search type = error1
  [inputlookup app.csv]

ITWhisperer · ‎03-16-2024

Try lookup of application_codes in csv and then filter by type

Ash1 · ‎03-16-2024

|mstats sum(faliure.count) as Failed where index=metric-logs by service application_codes
|lookup app.csv  application_codes

when i run the above query i am getting application_codes from mstats query not from csv file

ITWhisperer · ‎03-16-2024

Please can you give an example of your expected results?

Ash1 · ‎03-16-2024

application_codes

0

1206

18

1729

i want to see only the above application codes, that is from csv file only.

ITWhisperer · ‎03-17-2024

If you just want the application codes, why are you doing the mstats?

| inputlookup app.csv
| where Type="error1"
| table application_codes

Custom Splunk query