Hi all,
i have a established query which is working fine. But when i try to add the inputlookup to the query, its not working. i am using a federated search.
My need is to configure a maintenance table as a csv lookup and refer to it in the query.
when i try to access the csv file via inputlookup, i get error.
can you please suggest is there a way to configure maintenance for a particular backend via lookup table and refer to it in the query. i want to exclude the backend host for a particular date and time.
Query below:
index="federated:XXX" ("HTTP response code" OR "url-open" OR "Host connection failed") NOT "HTTP response code 2**" | rex field=_raw "https://(?<backend>.*)\:" | rex field=_raw "gtid\(\w{1,24}\): (?<error>.*)"|
rex field=_raw "^<\d+>(?P<date>\d+\-\d+\-\d+\w+:\d+:\d+\.\d+)[^ \n]* (?P<host>\w+)\s+\[(?P<domain>[^\]]+)" | eval thresholdValue = case(backend=="******" AND domain=="*****", 500, backend=="abcd.com" AND domain!="abcd-ALERTS", 350, backend=="ertyu.com" AND domain=="ertyu", 1000, backend!="qwerty.com", 100) | stats count by domain,backend,error,source,thresholdValue | sort -count | where count>thresholdValue | eval Priority=if(count>200,"3","4") | eval createINCTicket="0" | table domain,backend,error,source,thresholdValue,Priority,count,createINCTicket | lookup incsearch DOMAIN AS domain URL AS backend OUTPUT APPCODE AS BackendAppcode CREATETICKET AS CT INCIDENT AS incident
Maintenance csv lookup
maint_backend | maint_domain | date_hour_start | date_hour_end | date_mday_start | date_mday_end |
abcd.com | abcd-abcd | 1 | 3 | 6 | 7 |
This federated search is not currently supported. The search job has failed due to an error
There you go. You're trying to do something that is not supported.
Federated Search requires lookup tables to be maintain on both the Federated and Remote search heads.
Yes. I have configured the same lookup table on both places. Still i get error
The inputlookup command is not allowed in Federated Search. See https://docs.splunk.com/Documentation/Splunk/9.0.1/Search/Searchacrosslocalandremotedeployments#Rest...
Thank you.. 🙂 . i dont want to keep editing the query everytime a particular host goes into maintenance.
Is there any other way to configure maintenance..
Appreciate your help
Perhaps you could modify the query to use lookup instead of inputlookup?
Another, less optimal, option is to put the maintenance list in an index instead of a lookup file.
What error do you get?