- Splunk Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Using Inputlookup to check if the server is reacha...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a search which checks if the server is not sending the data within 5 minutes of time. Also i have a list of servers for which i need to check for the incoming data( I can use that as an inputlookup ) .
Now i want to run the main search and check for the hosts which are existing in that lookup and give me the counts of events. If for a host which is present in lookup but doesnt have any event in the index, i want count=0 .
index=main sourcetype="Perfmon:*"
| stats count as Events_count by host,hostType
And i have a lookup which has field host . My goal is to mark the server as RED if any of the server in the list is not sending the data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this!
index=main sourcetype="Perfmon:*"
| stats count as Events_count by host,hostType
| append [|inputlookup your_lookup.csv|eval Events_count=0|table host,hostType,Events_count]
| stats max(Events_count) as Events_count by host,hostType
※your_lookup.csv:host,hostType
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this!
index=main sourcetype="Perfmon:*"
| stats count as Events_count by host,hostType
| append [|inputlookup your_lookup.csv|eval Events_count=0|table host,hostType,Events_count]
| stats max(Events_count) as Events_count by host,hostType
※your_lookup.csv:host,hostType
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@macadminrohit
Below mentioned code is a sample one ..
You can replace with your own lookup name in the place of (lookupname ).
If you want to get any field from lookup file place in after the OUTPUT command.
then simple stats and where clause to get the count..
Once you get the count from UI itself you can set the coloring ..
index=main sourcetype="Perfmon:*"
| lookup lookupname host OUTPUT hostType
| where isnotnull(hostType)
| stats count as Events_count by host,hostType
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
New in Observability Cloud - Explicit Bucket Histograms
