https://community.splunk.com/t5/Getting-Data-In/Add-data-to-Splunk-from-a-form/m-p/98245#M20501 <P>outputlookup <span class="lia-unicode-emoji" title=":face_with_open_mouth:">😮</span> Thx</P> Thu, 18 Jul 2013 07:58:23 GMT timmalos 2013-07-18T07:58:23Z https://community.splunk.com/t5/Getting-Data-In/Add-data-to-Splunk-from-a-form/m-p/98242#M20498 <P>Hi guys.<BR /> With bpdbjobs from Netbackup i got a list of all my netbackup jobs yhich are completed.<BR /> Some of then have a jobStatus &gt; 1 means they are in error.<BR /> But sometimes, there are other jobs later who corrige the problem. In my list in splunk i want only see jobs in error <STRONG>which are not solved yet</STRONG>. Means there is no job with same caracteristic later having jobStatus=0. I do this with that search : </P> <PRE><CODE>sourcetype="Netbackup" host=$host$ | fillnull 0 jobCopy| dedup Client Policy Schedule Stream jobCopy sortby -_time|dedup jobId sortby -_time | search jobStatus&gt;1 </CODE></PRE> <P>With that i can list errors still in error. <STRONG>But</STRONG> (I come to the point) sometimes the problem is solved by an operator and i want to delete the line from the list. I want to create a form where i put a jobId and this jobId should <STRONG>never</STRONG> appear in my list anymore. As i dont want to delete lines from indexes, i would add a line with same jobId but with more recent timestamp and jobStatus=0 (So that my search will not return it). Without write a file that Splunk index but directly by a form (Or other if you have an idea)<BR /> How can i do that?</P> <P>Thx a lot for those who read this, sorry for my english and thx a lot for any help.</P> Wed, 17 Jul 2013 14:46:58 GMT https://community.splunk.com/t5/Getting-Data-In/Add-data-to-Splunk-from-a-form/m-p/98242#M20498 timmalos 2013-07-17T14:46:58Z https://community.splunk.com/t5/Getting-Data-In/Add-data-to-Splunk-from-a-form/m-p/98243#M20499 <P>Create a list of the jobs that should <STRONG>not</STRONG> be shown in the report. Make it a CSV file, perhaps like this</P> <P>resolvedJobs.csv</P> <PRE><CODE>jobId,jobStatus,dateTimeResolved,currentState 12113,0,2013-07-13 14:25,resolved 17116,0,2013-07-14 11:33,resolved </CODE></PRE> <P>etc. Load this into Splunk as a lookup table. (<A href="http://docs.splunk.com/Documentation/Splunk/5.0.3/Tutorial/Usefieldlookups">Lookup tutorial</A>) When you create the lookup, set a default value of "unresolved". In the example below, I have called the lookup <CODE>jobLookup</CODE>. Now run this search:</P> <PRE><CODE>sourcetype="Netbackup" host=$host$ | fillnull 0 jobCopy | dedup Client Policy Schedule Stream jobCopy sortby -_time|dedup jobId sortby -_time | search jobStatus&gt;1 | lookup jobLookup jobId OUTPUT currentStatus | where currentStatus = "unresolved" </CODE></PRE> <P>There are lots of other interesting things that you can do with lookups. But this is one good application.</P> Wed, 17 Jul 2013 21:30:18 GMT https://community.splunk.com/t5/Getting-Data-In/Add-data-to-Splunk-from-a-form/m-p/98243#M20499 lguinn2 2013-07-17T21:30:18Z https://community.splunk.com/t5/Getting-Data-In/Add-data-to-Splunk-from-a-form/m-p/98244#M20500 <P>Thats a good start thx ! How can i create the resolvedJobs.csv from a form? I mean i can do a search and pipe to an outputcsv but it will put the file in $SPLUNK_HOME/var/run/splunk i would this file to be in $MY_APP_DIR/lookups so that i can do the lookup function</P> Mon, 28 Sep 2020 14:22:46 GMT https://community.splunk.com/t5/Getting-Data-In/Add-data-to-Splunk-from-a-form/m-p/98244#M20500 timmalos 2020-09-28T14:22:46Z https://community.splunk.com/t5/Getting-Data-In/Add-data-to-Splunk-from-a-form/m-p/98245#M20501 <P>outputlookup <span class="lia-unicode-emoji" title=":face_with_open_mouth:">😮</span> Thx</P> Thu, 18 Jul 2013 07:58:23 GMT https://community.splunk.com/t5/Getting-Data-In/Add-data-to-Splunk-from-a-form/m-p/98245#M20501 timmalos 2013-07-18T07:58:23Z