Monitoring Splunk

Using Inputlookup to check if the server is reachable or not.

macadminrohit
Contributor

I have a search which checks if the server is not sending the data within 5 minutes of time. Also i have a list of servers for which i need to check for the incoming data( I can use that as an inputlookup ) .

Now i want to run the main search and check for the hosts which are existing in that lookup and give me the counts of events. If for a host which is present in lookup but doesnt have any event in the index, i want count=0 .

index=main sourcetype="Perfmon:*"
| stats count as Events_count by host,hostType

And i have a lookup which has field host . My goal is to mark the server as RED if any of the server in the list is not sending the data.

Tags (1)
0 Karma
1 Solution

HiroshiSatoh
Champion

Try this!

index=main sourcetype="Perfmon:*" 
| stats count as Events_count by host,hostType
| append [|inputlookup your_lookup.csv|eval Events_count=0|table host,hostType,Events_count]
| stats max(Events_count) as Events_count by host,hostType

※your_lookup.csv:host,hostType

View solution in original post

0 Karma

HiroshiSatoh
Champion

Try this!

index=main sourcetype="Perfmon:*" 
| stats count as Events_count by host,hostType
| append [|inputlookup your_lookup.csv|eval Events_count=0|table host,hostType,Events_count]
| stats max(Events_count) as Events_count by host,hostType

※your_lookup.csv:host,hostType
0 Karma

Shan
Builder

@macadminrohit

Below mentioned code is a sample one ..
You can replace with your own lookup name in the place of (lookupname ).
If you want to get any field from lookup file place in after the OUTPUT command.
then simple stats and where clause to get the count..
Once you get the count from UI itself you can set the coloring ..

index=main sourcetype="Perfmon:*"
| lookup lookupname  host OUTPUT  hostType  
| where  isnotnull(hostType) 
| stats count as Events_count by host,hostType 
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...