topic How to add additional columns? in Deployment Architecture

How to add additional columns?

Miky — Tue, 02 Aug 2022 20:51:39 GMT

Hi folks,

Just started using splunk lately and I'm stuck with this alert that I want to create, I've been told to add priority ( P1,P2,P3 column) and job alias from pw_job_mopping lookup be added to this alert that already exist as additional columns.

Any help will be appreciated 🙏.

Re: How to add additional columns?

martinpu — Tue, 02 Aug 2022 20:57:26 GMT

add this to your query:

| lookup your_lookup_file.csv pw_job_mopping

this command assumes pw_job_mopping exists in both the lookup and your query and looks up identical values to enrich with all fields in the lookup

If you only want the priority field add outputnew priority_field as priority to the end of that line

This page has additional documentation on the lookup command:
https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Lookup

Re: How to add additional columns?

gcusello — Wed, 03 Aug 2022 07:00:30 GMT

Hi,

your request is just a little vague, could your share your search and the fields of your lookup?

Anyway, If in the lookup you have at least two columns: one is the "priority" and one is the "job", you could create something like @martinpu hinted:

your_search | lookup pw_job_mopping.csv job OUTPUT priority | table _time job priority

Ciao.

Giuseppe

Re: How to add additional columns?

Miky — Wed, 03 Aug 2022 18:54:56 GMT

Thanks,

Re: How to add additional columns?

martinpu — Wed, 03 Aug 2022 14:25:26 GMT

index=A sourcetype=B source=C
| rename queue as Queue
| lookup local=true pw_map.csv Queue
| where queue_disabled!="Y"
| eval queue_depth_threshold=mvdedup(queue_depth_threshold)
| eval over_threshold=if(curdepth>queue_depth_threshold,1,0)
| stats latest(curdepth) as curdepth first(curdepth) as firstCur count as event_count sum(over_threshold)
as over_threshold latest(avg_queue_depth) as avg_queue_depth latest(Priority) as Priority latest(Owner)
as queue_owner latest(queue_depth_threshold) as queue_depth_threshold latest(Team) as Team
latest(mt_impact) as mt_impact latest(mt_impact_desc) as mt_impact_desc latest(mt_impact_priority) as
mt_impact_priority latest(functional_impact) as functional_impact by Queue hostname
| where over_threshold>=3 AND curdepth>queue_depth_threshold
| eval Status=case((curdepth-firstCur)>0, "Queue Depth Increasing", (curdepth-firstCur)<0, "Queue Depth
Decreasing", (curdepth-firstCur)=0, "Queue Depth Stagnant")
| where Status!="Queue Depth Decreasing"
| lookup local=true pw_map.csv Queue

If you add that lookup to the end, does that solve your issue?

It matches Queue from lookup to Queue from results and outputs all fields from the lookup

Re: How to add additional columns?

Miky — Wed, 03 Aug 2022 14:43:23 GMT

It gives Error in lookup command: can not find the source field 'job' in the lookup table 'pw_job_map.csv.

Re: How to add additional columns?

martinpu — Wed, 03 Aug 2022 14:48:15 GMT

Are there any fields in your lookup that match a field in the result table?

Re: How to add additional columns?

Miky — Wed, 03 Aug 2022 19:28:44 GMT

gcusello it works, the problem is that I'm getting only priority1 not priority2 and priority3.

Just to be specific, under priority field I have 1,2,and3, but I'm getting only priority1.

Re: How to add additional columns?

gcusello — Fri, 12 Aug 2022 07:05:40 GMT

Hi @Miky,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉