Hello - This is my first time asking a question here. I receive a lot of answers by reading others' questions (thank you) so hopefully you can understand that I have done my fare share of searching before typing this all out. So here we go....
Assume that I have a fully functioning automated lookup using a CSV.
3 fields; **location**, **number**, **group** [which is used for call counts for each location/number]
The event logs populate the **number** field and the lookup populates the **location** & **group** fields.
What happens is that, if there are no events that have the **number** as listed in the table - it will not populate the **location**/**group** and call count (event count) for that entry. So for example.. Group A I have a complete list, as it is in the lookup because all numbers show up in the event logs. However, for Group B I don't have a full list because some of the numbers needed to populate the lookup are not present in the logs. So splunk will not list those locations in the table as there is essentially nothing to look up.
What I want is to have the complete list (as from the csv) listed in the table regardless if the lookup finds it or not and then if there are no matches for numbers, populate a 0 (zero) value for the table.
Location - Number - Group - Calls
A ------------1------------- A --------- 4
B------------2 --------------A-----------5
A------------3---------------B-----------3
B ---------- 4 ---------------B---------- 0 <----- I want zero value because the number was not found in the logs.
I think that I might want to do a reverse look up? But something tells me there may be a very simple way to do this.
Thanks for your time, I look forward you your help!
-Chris
↧