Dashboards & Visualizations

help to adapt a search with a new datasource

jip31
Motivator

Hello

 

Until now, I was using this search :

 

[| inputlookup host.csv 
    | table host] `fiability` 
| fields host Logfile SourceName ProductName 
| eval host=upper(host) 
| lookup fo_all HOSTNAME as host output SITE 
| search Logfile=Application AND (SourceName="Application Hang" OR SourceName="Application Error") 
| search (ProductName=*)
| stats count(eval(SourceName="Application Error")) as "Number of Errors", count(eval(SourceName="Application Hang")) as "Number of Hang", count as "Number of crashes" by ProductName  
| sort -"Number of crashes" 
| head 10

 

 

The host.csv lookup was updated manually in order to add new hostname

The lookup host.csv is now replace by a KV store called "cmdb_fo_all"

 

| inputlookup cmdb_fo_all where TYPE="Ind"

 

With this KV store, it's possible to filter automatically the type of hostname I need

Please also note that the field host is called "HOSTNAME" in this KV

Now I need to replace the lookup by the KV store in my search

Could you help me please?

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You appear to have what you need.  The only thing missing is a rename of the new field to match that used by the rest of the query.

[| inputlookup cmdb_fo_all where TYPE="Ind" | rename HOSTNAME as host
    | table host] `fiability` 
| fields host Logfile SourceName ProductName 
| eval host=upper(host) 
| lookup fo_all HOSTNAME as host output SITE 
| search Logfile=Application AND (SourceName="Application Hang" OR SourceName="Application Error") 
| search (ProductName=*)
| stats count(eval(SourceName="Application Error")) as "Number of Errors", count(eval(SourceName="Application Hang")) as "Number of Hang", count as "Number of crashes" by ProductName  
| sort -"Number of crashes" 
| head 10

 

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You appear to have what you need.  The only thing missing is a rename of the new field to match that used by the rest of the query.

[| inputlookup cmdb_fo_all where TYPE="Ind" | rename HOSTNAME as host
    | table host] `fiability` 
| fields host Logfile SourceName ProductName 
| eval host=upper(host) 
| lookup fo_all HOSTNAME as host output SITE 
| search Logfile=Application AND (SourceName="Application Hang" OR SourceName="Application Error") 
| search (ProductName=*)
| stats count(eval(SourceName="Application Error")) as "Number of Errors", count(eval(SourceName="Application Hang")) as "Number of Hang", count as "Number of crashes" by ProductName  
| sort -"Number of crashes" 
| head 10

 

---
If this reply helps you, an upvote would be appreciated.
0 Karma

jip31
Motivator

thanks richgalloway

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>