![]() ![]() Capitalization is fine (CI is a 3 letter full capital code), as far as in a separate trial i just lookup DOMServiceCatalogueLookup to retrieve 'ClusterAvailability' fields and it worked as expected. The SQL SELECT statement retrieves data from a database. My List.csv is something like below, that lists down the index and sorcetypes. Ciao, if i ran separately the searches they both provide results. In this section, weâll go through the most common/valuable SQL commands and offer suggestions on methods to use in SPL. ![]() How do I use fillnull or any other method to show the event & host count as 0 when there is no data for that index/sourcetype? | tstats count, dc(host) as hosts where However this search does not show an index - sourcetype in the output if it has no data during the last hour. yes its possible, putting attention that in the output of the subsearch theres also the field used as key in the join (as kamleshvaghela suggested) Anyway, I dont like join because its a very slow command to use only when there isnt any other solution (in other words in the 0.01 of the use cases). Channel Details: Title: Questions in topic: splunk-enterprise Channel Number: 54950717 Language. lookup OUTPUT .eg: SHost Name has values such as11xx 22xx 11yy 22yy And, I have the seperate lookups for both MSSQL & Oracle ie., lookup1 & lookup 2 lookup 1 contains hostname supportgroup. The index & sourcetype is listed in the lookup CSV file. Hi, I have search which has Shost name values of different DB instances say MSSQL and Oracle in a single field. I have the below query trying to produce the event and host count for the last hour.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |