topic Re: Matching event results to a lookup field with a wildcard. in Splunk Search

Matching event results to a lookup field with a wildcard.

joeybagofdonuts — Fri, 12 Nov 2021 16:38:49 GMT

Hello!

I'm trying to build out a lookup of services on specific servers that I want to know when they've stopped. But I wanted to use wildcards for servers so I didn't need to type out a lot of servers.

This is the some sample data and the base of the search that I've been playing with.

host	Name	severity	failuresAllowed
server1234	service1	low	3
server1*	service2	high	1
server2*	service3	medium	2

index=windows source=service earliest=-20m
[inputlookup Windows_App_Services.csv | table host Name ]
| stats count(eval(if(State!="Running",1,null()))) as failureCount by host Name
| join host Name type=outer [inputlookup Windows_App_Services.csv]

The first inputlookup pulls in just the server name and service we're looking at so that I can search only those events. Then I count how many of those events have a State of not running so I know how many times in the 20 minute lookup back period they haven't been running. Then I'd like to pull in severity and failuresAllowed so that I can use those to calculate severity in ITSI, but when I try to do the join it does not work because the host doesn't match what's in the lookup since it's wildcarded.

I've tried creating a wildcard match_type on that lookup, but that doesn't seem to help me. Anyone have any ideas?

Thanks for your help!

Re: Matching event results to a lookup field with a wildcard.

richgalloway — Fri, 12 Nov 2021 18:00:36 GMT

Create a new lookup definition called "Windows_App_Services" that references Windows_App_Services.csv. In the Advanced Options section, set the Match type field to "WILDCARD(host)".

Then replace the join in the query with a lookup.

Re: Matching event results to a lookup field with a wildcard.

joeybagofdonuts — Fri, 12 Nov 2021 18:38:57 GMT

Thanks! That worked for me, I was messing up the syntax of calling the lookup. I've accepted this as the solution, but I have a follow up question if you'd be so inclined.

Say I want to take it a step further and be able to list multiple hosts and be able to wild card. Like this for example:

host	Name	severity	failuresAllowed
server123::server234::server345	Service1	low	3
server1*	Service2	high	1
server123	Service3	medium	2

This works for the 2nd and 3rd row. Note that I'm doing my lookup by host and Name because certain servers could be looking at the same services with different severities resulting if it's stopped.

index=windows source=service earliest=-20m [inputlookup Windows_App_Services.csv | table host Name | makemv delim=:: host | mvexpand host] | stats count(eval(if(State!="Running",1,null()))) as failureCount by host Name | lookup Windows_App_Services host Name OUTPUT severity failuresAllowed

However I'm not sure how to split out the hosts in the first row as this doesn't quite do it.

I'm at a point where I could probably bang my head against a wall for a little and figure it out, but any advice would be much appreciated!

Re: Matching event results to a lookup field with a wildcard.

joeybagofdonuts — Fri, 12 Nov 2021 19:39:30 GMT

I did some headslamming and realized I could just do this. Might not be the most efficient so still open to critiques, but this got me the results I wanted!