I'm having trouble understanding why I'm getting certain results from the use of lookup tables, any help would be greatly appreciated.
My lookup tables:
pre-ces-alerts.csv
_raw,sourcetype,alertMessage,severity
*Reloading repositories*,liferay,Reloading repositories,high
*RememberMe*,liferay,Remember Me,low
pre-ces-alerts-status.csv (empty now but populated with the search results using outputlookup)
Action,"_time",Count,sourcetype,alertMessage,ackTime,username,clearTime
The search query:
index=pre_ces | lookup update=true pre-ces-alerts.csv _raw sourcetype OUTPUT alertMessage | lookup update=true pre-ces-alerts-status.csv alertMessage OUTPUT clearTime | fillnull value=0 clearTime | where (_time > clearTime) | eventstats count(alertMessage) as newCount by alertMessage,sourcetype | dedup 1 alertMessage,sourcetype sortby -_time | lookup pre-ces-alerts-status.csv update=true alertMessage,sourcetype OUTPUT Action, ackTime, username, Count | eval Action=if(isnull(Action),"Ack",Action) | eval Count=if(Action = "CLEARED",if(_time > clearTime,0,Count),Count) | eval Action=if(Action = "CLEARED",if(_time > clearTime,"Ack",Action),Action) | fillnull value=0 Count | eval Count=Count+newCount | table Action,_time,Count,sourcetype,alertMessage,ackTime,username,clearTime | append [|inputlookup pre-ces-alerts-status.csv] | dedup 1 alertMessage,sourcetype | outputlookup pre-ces-alerts-status.csv | search Action="Ack" | table alertMessage, sourcetype, _time, Count
I get no results returned, the search can't seem to get anything after this section
index=pre_ces | lookup update=true pre-ces-alerts.csv _raw sourcetype OUTPUT alertMessage | lookup update=true pre-ces-alerts-status.csv alertMessage OUTPUT clearTime | fillnull value=0 clearTime | where (_time > clearTime) | eventstats count(alertMessage) as newCount by alertMessage,sourcetype | dedup 1 alertMessage,sourcetype sortby -_time
I have used this query on splunk 6.1 but it's not giving me any joy on 6.4
↧