Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using Inputlookup to check if the server is reachable or not.

macadminrohit
Contributor
‎07-23-2018 07:51 PM

I have a search which checks if the server is not sending the data within 5 minutes of time. Also i have a list of servers for which i need to check for the incoming data( I can use that as an inputlookup ) .

Now i want to run the main search and check for the hosts which are existing in that lookup and give me the counts of events. If for a host which is present in lookup but doesnt have any event in the index, i want count=0 .

index=main sourcetype="Perfmon:*"
| stats count as Events_count by host,hostType

And i have a lookup which has field host . My goal is to mark the server as RED if any of the server in the list is not sending the data.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎07-23-2018 09:39 PM

Try this!

index=main sourcetype="Perfmon:*" 
| stats count as Events_count by host,hostType
| append [|inputlookup your_lookup.csv|eval Events_count=0|table host,hostType,Events_count]
| stats max(Events_count) as Events_count by host,hostType

※your_lookup.csv:host,hostType

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎07-23-2018 09:39 PM

Try this!

index=main sourcetype="Perfmon:*" 
| stats count as Events_count by host,hostType
| append [|inputlookup your_lookup.csv|eval Events_count=0|table host,hostType,Events_count]
| stats max(Events_count) as Events_count by host,hostType

※your_lookup.csv:host,hostType
0 Karma
Reply
Solved! Jump to solution

Shan
Builder
‎07-23-2018 09:35 PM

@macadminrohit

Below mentioned code is a sample one ..
You can replace with your own lookup name in the place of (lookupname ).
If you want to get any field from lookup file place in after the OUTPUT command.
then simple stats and where clause to get the count..
Once you get the count from UI itself you can set the coloring ..

index=main sourcetype="Perfmon:*"
| lookup lookupname  host OUTPUT  hostType  
| where  isnotnull(hostType) 
| stats count as Events_count by host,hostType
0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...