topic Re: How to restrict license report to slaves via lookup? in Splunk Search

How to restrict license report to slaves via lookup?

a212830 — Fri, 04 Nov 2016 14:42:06 GMT

Hi,

I want to run reports against certain slaves reporting into the license manager, and filter them via a lookup. Here's the existing search - is there a way to filter them via lookup and slave name (not guid) ?

index=_internal source=*license_usage.log type="RolloverSummary"   | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | eval slave_guid=slave | stats max(b) AS volume by slave_guid, _time  | join type=outer slave_guid [rest splunk_server=local /services/licenser/slaves | rename label AS slave_name title AS slave_guid | table slave_guid slave_name] | eval slave_name = if(isnotnull(slave_name),slave_name,"GUID: ".slave_guid) | timechart span=1d max(volume) AS "volume" by slave_name fixedrange=false limit=1000| join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <>=round('<>'/1024/1024/1024, 3)]

Re: How to restrict license report to slaves via lookup?

somesoni2 — Fri, 04 Nov 2016 15:44:25 GMT

Try this

1) Run following search to generate a lookup with all license slaves and corresponding GUID. I would create a scheduled saved search to get this lookup table (say license_slaves.csv) updated daily.

 | rest splunk_server=local /services/licenser/slaves | rename label AS slave_name title AS slave_guid | table slave_guid slave_name | outputlookup license_slaves.csv

2) Update your dashboard like this

a) add the data input (multiselect) to use the lookup

<input type="multiselect" token="slaves">
      <label>License Slaves</label>
      <choice value="*">All Slaves</choice>
      <search>
        <query>| inputlookup license_slaves.csv | table slave_guid slave_name</query>
      </search>
      <fieldForLabel>slave_name</fieldForLabel>
      <fieldForValue>slave_guid</fieldForValue>
      <default>*</default>
      <prefix>slave=</prefix>
      <delimiter> OR slave=</delimiter>
    </input>

b) Update you dashboard search like this
Updated

index=_internal source=*license_usage.log type="RolloverSummary" $slaves$ | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | stats max(b) AS volume by slave, _time | lookup license_slaves.csv slave_guid as slave OUTPUT slave_name  | eval slave_name = if(isnotnull(slave_name),slave_name,"GUID: ".slave) | timechart span=1d max(volume) AS "volume" by slave_name fixedrange=false limit=1000| join type=outer _time [search index=_internal source=license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff | foreach  * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

Re: How to restrict license report to slaves via lookup?

a212830 — Fri, 04 Nov 2016 17:39:56 GMT

Thanks - give me: Mismatched ']'.

Re: How to restrict license report to slaves via lookup?

somesoni2 — Fri, 04 Nov 2016 23:02:25 GMT

Missed removing a bracket. Try the updated answer now.