What would be the best way to add 'hostname' field to the 'Status Overview' dash under Uptime Monitoring. I noticed under 'Data Inputs' / 'Ping' , a name(hostname) exists as new hosts are added. Would there be a way to join this field over into my data for 'Uptime Monitoring'? Been at this a while and seems like the answer is much more simple then I'm looking at this. Thanks.
Assuming the columns for your lookup table are titled "dest" and "hostname" and your lookup is named "hostnameLookup.csv" you would add the following to your search: " | lookup hostnameLookup.csv dest OUTPUT hostname
Complete search:
sourcetype="ping_input"
| stats sparkline(avg(avg_ping)) as sparkline_ping avg(avg_ping) as ping max(max_ping) as max_ping latest(packet_loss) as packet_loss latest(_time) as last_checked range(avg_ping) as range min(avg_ping) as min by dest
| search
| eval ping=round(ping, 0)." ms"
| eval average=round(avg_ping, 0)." ms"
| eval maximum=round(max_ping, 0)." ms"
| eval range=round(min, 0)." - ".round(min+range, 0)." ms"
| eval packet_loss=if(max_ping="NA",100,packet_loss)
| lookup hostnameLookup.csv dest OUTPUT hostname
| table dest hostname packet_loss last_checked ping max_ping range sparkline_ping
| timesince(last_checked,last_checked)
| sort -ping
Assuming the columns for your lookup table are titled "dest" and "hostname" and your lookup is named "hostnameLookup.csv" you would add the following to your search: " | lookup hostnameLookup.csv dest OUTPUT hostname
Complete search:
sourcetype="ping_input"
| stats sparkline(avg(avg_ping)) as sparkline_ping avg(avg_ping) as ping max(max_ping) as max_ping latest(packet_loss) as packet_loss latest(_time) as last_checked range(avg_ping) as range min(avg_ping) as min by dest
| search
| eval ping=round(ping, 0)." ms"
| eval average=round(avg_ping, 0)." ms"
| eval maximum=round(max_ping, 0)." ms"
| eval range=round(min, 0)." - ".round(min+range, 0)." ms"
| eval packet_loss=if(max_ping="NA",100,packet_loss)
| lookup hostnameLookup.csv dest OUTPUT hostname
| table dest hostname packet_loss last_checked ping max_ping range sparkline_ping
| timesince(last_checked,last_checked)
| sort -ping
Thank you so much for this answer as it was 99% of the key to my resolution. The other 1% was adding in an 'as' to reference the IP field from the lookup to my data, then OUTPUT that to the newly created field
|lookup hostnameLookup.csv IP as dest OUTPUT hostname
Worked perfect and could not have done it without your awesomeness.
Thank you!
We're going to need more information to work with. For starters, what app are you working in? What have you tried? What isn't working? Screenshots are often helpful, too.
Thanks for your response and I apologize for lack of clarity.
I am working in the 'Network Toolkit' App under the 'Status Overview' portion to provide ICMP monitoring for various hosts.
Currently the 'Status Overview' provides a 'dest' field that contains an IP address, and I would like to create an additional 'hostname' field respectively for easier reference with the IP of a particular host.
Splunk support has provided me with a suggestion in creating a lookup which contains an IP address and Hostname imported via CSV file for each host. I've managed to create a lookup, but trying to use the 'inputlookup' command is failing for me probably because I am a noob and not using it correctly.
An additional option is under 'Settings' / 'Data Inputs' / 'Ping' . Within this dash there is a 'name' field which is populated entering a new host from this dash. If I could somehow grab that field from here and merge with the data in the 'Status Overview' dash , that could work too.
Any assist would be greatly appreciated on this. Btw I tried importing screen snips but don't see where to import within this.