Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Dashboards & Visualizations
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Why is there a problem when passing a command thro...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ppatrikfr
Path Finder
07-10-2018
04:37 AM
Hi guys,
| inputlookup Threshold_Perfil.csv
| join perfil max=0
[| inputlookup Perfis_Threshold.csv
| fields perfil counter object
| dedup perfil counter object ]
| eval counter= "counter='"."".counter.""."' "
| eval object= " object='".object."' "
| eval cmdline= " (".counter.object.") OR "
| stats values(cmdline) as cmdline by host perfil
| mvcombine delim="," cmdline
| head 10
| map search="earliest=-1h index="main" $cmdline$ sourcetype="nullableone" | stats count by object counter"
I'm using search above trying to pass a collection of counter and objects to make my search...
(counter='% Processor Time' object='Processor' ) OR (counter='Status' object='SWInterface' )
I have many servers and I want to check if Splunk is collecting correctly in each server, but when I'm passing my "cmdline" my map command is not running because splunk adds quotes after and before "cmdline" field.
earliest=-1h index=main " (counter='% Processor Time' object='Processor' ) OR (counter='Status' object='SWInterface' ) OR (counter='Temperatura' object='Temperatura' ) OR (counter='network_updown' object='ping' ) OR (counter='snmpwalk' object='bgp_router_status' ) OR " sourcetype=nullableone | stats count by object counter'.
If there is another way to do this I'll be happy to see.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
07-10-2018
08:41 AM
Give this a try
| inputlookup Threshold_Perfil.csv
| join perfil max=0
[| inputlookup Perfis_Threshold.csv
| fields perfil counter object
| dedup perfil counter object ]
| eval counter="counter='".counter."' "
| eval object=" object='".object."' "
| eval cmdline= "(".counter.object.")"
| stats values(cmdline) as cmdline by host delim=" OR " | nomv cmdline
| head 10
| map search="search earliest=-1h index="main" [gentimes start=-1 | eval search=\"$cmdline$\" | rex mode=sed field=search "s/\\\"//g" | table search] sourcetype="nullableone" | stats count by object counter"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
01-28-2019
02:53 PM
Also, see this Q&A for a super-flexible general approach to handle this kind of thing:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
07-10-2018
08:41 AM
Give this a try
| inputlookup Threshold_Perfil.csv
| join perfil max=0
[| inputlookup Perfis_Threshold.csv
| fields perfil counter object
| dedup perfil counter object ]
| eval counter="counter='".counter."' "
| eval object=" object='".object."' "
| eval cmdline= "(".counter.object.")"
| stats values(cmdline) as cmdline by host delim=" OR " | nomv cmdline
| head 10
| map search="search earliest=-1h index="main" [gentimes start=-1 | eval search=\"$cmdline$\" | rex mode=sed field=search "s/\\\"//g" | table search] sourcetype="nullableone" | stats count by object counter"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-10-2018
09:16 AM
Exactly what I was going to propose.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
07-10-2018
04:52 AM
@ppatrikfr do you have some sample values for cmdline. Also do you want to use it as text filter or key value pair? From he query seems like it is a text filter.
Also is the issue while running above in Splunk Search window or in Dashboard?
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ppatrikfr
Path Finder
07-10-2018
05:16 AM
cmdline =
(counter='% Processor Time' object='Processor' ) OR (counter='Status' object='SWInterface' ) OR (counter='Temperatura' object='Temperatura' ) OR (counter='network_updown' object='ping' ) OR (counter='snmpwalk' object='bgp_router_status' ) OR
I just want splunk to identify as search command but those quotes are making them just a text filter. Also I'm running in window not dashboard.
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
