Sorry for the simple question, I am new to the Splunk world....
I have a CSV loaded (StandardMaintenance.csv) which has two rows
I want to add a check to each alert so that they will not fire during maintenance.
Here is my code...
....query goes here...
| lookup StandardMaintenance.csv UnderMaintenance
| search NOT UnderMaintenance="NO"
What am I doing wrong or how better might I accomplish this?
Thanks for the response. The CVS file only consists of the one field. I want maintenance to be either on or off. If off, run query, if on, don't run query. I am not marking individual hosts, it is all or nothing.
| inputlookup StandardMaintenance WHERE UnderMaintenance="Yes"
index=os sourcetype=vmstat NOT [ | inputlookup StandardMaintenance WHERE UnderMaintenance="Yes" | fields host | table host ]
| fields memUsedPct, host
| stats avg(memUsedPct) as avgMemUsed by host
| where avgMemUsed > 75
| table host
Thanks. I have no additional information in the StandardMaintenance table. I simply want to use the table as a check... If UnderMaintainance is NO, execute query (thus generate an alert).
To use your example, I want to run the index=os sourcetype=vmstat query only when UnderMaintainence is "NO"
I know I should be able to deduce it from what you provided, but I am still struggling. Any additional input is appreciated.
What are you looking up against i.e. what's matching criteria in search and lookup?
Also in the above search if you want only those events which is not under maintenance , you should use
| search UnderMaintenance="NO"
Do you want to put all the things in downtime?
If you had only a few hosts in the lookup at any time, you could do something like this:
search string NOT [|inputlookup hosts_in_maint.csv | table host| format]