I am running script to get ping status of the servers and i onboarded the logs and extract filed as Servers.Now in my inputlookup i have 5 fields (ServerName,ApplicationName,Environment,Alias,IPAdress).So i need to map the query result with inputlookup.
Index=* sourcetype=StatusPing |rex field=_raw "^[^\|\n]*\|\s+(?P<Servers>[^ ]+)" | eval Status=case(Lost=0, "UP", Lost=2, "Warning", Lost=4, "Down")|append [|inputlookup PingStatus.csv|rename Servers as ServerName ]|table Alias,EnvironmentName,ApplicationName,ServerName,IPAddress,Lost,Status
Thanks in Advance
Use lookup rather than inputlookup.
index=foo sourcetype=StatusPing
| rex field=_raw "^[^\|\n]*\|\s+(?P<Servers>[^ ]+)"
| eval Status=case(Lost=0, "UP", Lost=2, "Warning", Lost=4, "Down")
| rename Servers as ServerName
| lookup PingStatus.csv ServerName
| table Alias,EnvironmentName,ApplicationName,ServerName,IPAddress,Lost,Status
Don't use index=* in a production query. Your Splunk admin will hate you for it. 🙂
Use lookup rather than inputlookup.
index=foo sourcetype=StatusPing
| rex field=_raw "^[^\|\n]*\|\s+(?P<Servers>[^ ]+)"
| eval Status=case(Lost=0, "UP", Lost=2, "Warning", Lost=4, "Down")
| rename Servers as ServerName
| lookup PingStatus.csv ServerName
| table Alias,EnvironmentName,ApplicationName,ServerName,IPAddress,Lost,Status
Don't use index=* in a production query. Your Splunk admin will hate you for it. 🙂