Solved: Re: How to map my query with inputlookup values?

karthi2809 · ‎03-31-2023

I am running script to get ping status of the servers and i onboarded the logs and extract filed as Servers.Now in my inputlookup i have 5 fields (ServerName,ApplicationName,Environment,Alias,IPAdress).So i need to map the query result with inputlookup.

Thanks in Advance

richgalloway · ‎03-31-2023

Use lookup rather than inputlookup.

index=foo sourcetype=StatusPing 
| rex field=_raw "^[^\|\n]*\|\s+(?P<Servers>[^ ]+)" 
| eval Status=case(Lost=0, "UP", Lost=2, "Warning", Lost=4, "Down")
| rename Servers as ServerName
| lookup PingStatus.csv ServerName
| table Alias,EnvironmentName,ApplicationName,ServerName,IPAddress,Lost,Status

Don't use index=* in a production query. Your Splunk admin will hate you for it. 🙂

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎03-31-2023

Use lookup rather than inputlookup.

index=foo sourcetype=StatusPing 
| rex field=_raw "^[^\|\n]*\|\s+(?P<Servers>[^ ]+)" 
| eval Status=case(Lost=0, "UP", Lost=2, "Warning", Lost=4, "Down")
| rename Servers as ServerName
| lookup PingStatus.csv ServerName
| table Alias,EnvironmentName,ApplicationName,ServerName,IPAddress,Lost,Status

Don't use index=* in a production query. Your Splunk admin will hate you for it. 🙂

---
If this reply helps you, Karma would be appreciated.

karthi2809 · ‎04-03-2023

Thanks

How to map my query with inputlookup values?

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!