https://community.splunk.com/t5/Splunk-Search/Using-external-lookup-and-mstats-together/m-p/496442#M194666 <P>Hi All,</P> <P>I have a search like this:</P> <PRE><CODE>| mstats span=1d sum(_value) as "ClosedTime" WHERE index=metrics_prod metric_name=com.foo.timeClosed | eval ClosedTimeinMin = ((ClosedTime/1000)/60) | table _time ClosedTimeinMin </CODE></PRE> <P>It basically shows how long a device in a shop was closed (out of order) a day:</P> <PRE><CODE>"_time",ClosedTimeinMin "2019-09-25T00:00:00.000+0200","0.27218333333" "2019-09-26T00:00:00.000+0200","528.49098333333" "2019-09-27T00:00:00.000+0200","1077.4227000000" "2019-09-30T00:00:00.000+0200","3410.40781666667" "2019-10-01T00:00:00.000+0200","533.04851666667" </CODE></PRE> <P>The problem is that it contains those time periods as well when the shop was closed. When the shop is closed and the device is off it is not a problem so this time period should not be in the report. I can call a REST API which returns the opening hours of the shop. This Python script (which calls the REST API) is written according to the rules described here (external lookup): <A href="https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Configureexternallookups">https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Configureexternallookups</A><BR /> It was written by me so it can return the opening hours in any format. How could I use this script in the search in order to exclude the hours when the shop was closed? Can I use the "lookup" command together with "mstats" command? And if yes how should I phrase the query in order to achieve the desired result?</P> <P>Thanks,<BR /> Ivan</P> Tue, 01 Oct 2019 07:53:45 GMT zahorans 2019-10-01T07:53:45Z https://community.splunk.com/t5/Splunk-Search/Using-external-lookup-and-mstats-together/m-p/496442#M194666 <P>Hi All,</P> <P>I have a search like this:</P> <PRE><CODE>| mstats span=1d sum(_value) as "ClosedTime" WHERE index=metrics_prod metric_name=com.foo.timeClosed | eval ClosedTimeinMin = ((ClosedTime/1000)/60) | table _time ClosedTimeinMin </CODE></PRE> <P>It basically shows how long a device in a shop was closed (out of order) a day:</P> <PRE><CODE>"_time",ClosedTimeinMin "2019-09-25T00:00:00.000+0200","0.27218333333" "2019-09-26T00:00:00.000+0200","528.49098333333" "2019-09-27T00:00:00.000+0200","1077.4227000000" "2019-09-30T00:00:00.000+0200","3410.40781666667" "2019-10-01T00:00:00.000+0200","533.04851666667" </CODE></PRE> <P>The problem is that it contains those time periods as well when the shop was closed. When the shop is closed and the device is off it is not a problem so this time period should not be in the report. I can call a REST API which returns the opening hours of the shop. This Python script (which calls the REST API) is written according to the rules described here (external lookup): <A href="https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Configureexternallookups">https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Configureexternallookups</A><BR /> It was written by me so it can return the opening hours in any format. How could I use this script in the search in order to exclude the hours when the shop was closed? Can I use the "lookup" command together with "mstats" command? And if yes how should I phrase the query in order to achieve the desired result?</P> <P>Thanks,<BR /> Ivan</P> Tue, 01 Oct 2019 07:53:45 GMT https://community.splunk.com/t5/Splunk-Search/Using-external-lookup-and-mstats-together/m-p/496442#M194666 zahorans 2019-10-01T07:53:45Z https://community.splunk.com/t5/Splunk-Search/Using-external-lookup-and-mstats-together/m-p/496443#M194667 <P>I have the feeling that it is not even possible this way. Any other technique/extension/plugin/etc which might work?</P> Fri, 04 Oct 2019 12:57:57 GMT https://community.splunk.com/t5/Splunk-Search/Using-external-lookup-and-mstats-together/m-p/496443#M194667 zahorans 2019-10-04T12:57:57Z https://community.splunk.com/t5/Splunk-Search/Using-external-lookup-and-mstats-together/m-p/496444#M194668 <P>Hi zahorans,</P> <P>it should work like this and my apologies for using "meta-code" to sketch the idea:</P> <PRE><CODE>| mstats span=1d sum(_value) as "ClosedTime" WHERE index=metrics_prod metric_name=com.foo.timeClosed | &lt;external.py returning fields openingTime, closingTime as epoch (integer)&gt; &lt;&lt;&lt; Add the opening hours | where _time&gt;=openingTime AND _time&lt;=closingTime &lt;&lt;&lt; Select only the events that fall between open and close | stats sum(ClosedTimeinMin) as TotalOutage &lt;&lt;&lt; Sum up all outages to get the total Outage time </CODE></PRE> <P>Alternatively, you could add some additional parameter to the metrics, detailing the failed device/source and add a <STRONG>by</STRONG> to the stats to get the outages per device.</P> <P>This is just a rough sketch. To make it perfect, you would rather test if the end of the outage was inside the opening hours, clipping the outage length to the openingTime whenever the outage started before store open. The same could be done for all outages that start while open: clip their length at shop close. It gets tricky if an outage spans several days... but you get the point.</P> <P>Hope it helps<BR /> Oliver</P> Fri, 04 Oct 2019 14:59:42 GMT https://community.splunk.com/t5/Splunk-Search/Using-external-lookup-and-mstats-together/m-p/496444#M194668 ololdach 2019-10-04T14:59:42Z https://community.splunk.com/t5/Splunk-Search/Using-external-lookup-and-mstats-together/m-p/496445#M194669 <P>Thanks Oliver,<BR /> I am waiting for our Splunk admin to let me upload the script then I try what you suggested.<BR /> Cheers,<BR /> Ivan</P> Mon, 07 Oct 2019 08:17:24 GMT https://community.splunk.com/t5/Splunk-Search/Using-external-lookup-and-mstats-together/m-p/496445#M194669 zahorans 2019-10-07T08:17:24Z https://community.splunk.com/t5/Splunk-Search/Using-external-lookup-and-mstats-together/m-p/496446#M194670 <P>Hi Oliver,<BR /> Thanks for your answer. I am waiting for our Splunk admin to let me upload the script then I try what you suggested.<BR /> Cheers,<BR /> Ivan</P> Mon, 07 Oct 2019 08:20:24 GMT https://community.splunk.com/t5/Splunk-Search/Using-external-lookup-and-mstats-together/m-p/496446#M194670 zahorans 2019-10-07T08:20:24Z https://community.splunk.com/t5/Splunk-Search/Using-external-lookup-and-mstats-together/m-p/496447#M194671 <P>I tried to use an already existing lookup though and it didn't work:</P> <PRE><CODE> | mstats span=1d sum(_value) as "ClosedTime" WHERE index=till_sre_metrics_prod metric_name=com.tesco.ui.prod.timeOnClosedPage | lookup store_lookup.csv host AS host OUTPUTNEW store_number AS store_number | fields store_number </CODE></PRE> <P>the "store_number" field doesn't appear. Why? "Host" field should be available even in case of stats.</P> Mon, 07 Oct 2019 09:07:58 GMT https://community.splunk.com/t5/Splunk-Search/Using-external-lookup-and-mstats-together/m-p/496447#M194671 zahorans 2019-10-07T09:07:58Z https://community.splunk.com/t5/Splunk-Search/Using-external-lookup-and-mstats-together/m-p/496448#M194672 <P>It might be because of this statement: "You cannot use automatic lookups with metrics data."<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.3.1/Metrics/Search">https://docs.splunk.com/Documentation/Splunk/7.3.1/Metrics/Search</A></P> Mon, 07 Oct 2019 09:35:07 GMT https://community.splunk.com/t5/Splunk-Search/Using-external-lookup-and-mstats-together/m-p/496448#M194672 zahorans 2019-10-07T09:35:07Z https://community.splunk.com/t5/Splunk-Search/Using-external-lookup-and-mstats-together/m-p/496449#M194673 <P>If this is true then I cannot really solve my original problem.</P> Mon, 07 Oct 2019 09:40:02 GMT https://community.splunk.com/t5/Splunk-Search/Using-external-lookup-and-mstats-together/m-p/496449#M194673 zahorans 2019-10-07T09:40:02Z