I have a search which checks if the server is not sending the data within 5 minutes of time. Also i have a list of servers for which i need to check for the incoming data( I can use that as an inputlookup ) .
Now i want to run the main search and check for the hosts which are existing in that lookup and give me the counts of events. If for a host which is present in lookup but doesnt have any event in the index, i want count=0 .
index=main sourcetype="Perfmon:*"
| stats count as Events_count by host,hostType
And i have a lookup which has field host . My goal is to mark the server as RED if any of the server in the list is not sending the data.
Try this!
index=main sourcetype="Perfmon:*"
| stats count as Events_count by host,hostType
| append [|inputlookup your_lookup.csv|eval Events_count=0|table host,hostType,Events_count]
| stats max(Events_count) as Events_count by host,hostType
※your_lookup.csv:host,hostType
Try this!
index=main sourcetype="Perfmon:*"
| stats count as Events_count by host,hostType
| append [|inputlookup your_lookup.csv|eval Events_count=0|table host,hostType,Events_count]
| stats max(Events_count) as Events_count by host,hostType
※your_lookup.csv:host,hostType
@macadminrohit
Below mentioned code is a sample one ..
You can replace with your own lookup name in the place of (lookupname ).
If you want to get any field from lookup file place in after the OUTPUT command.
then simple stats and where clause to get the count..
Once you get the count from UI itself you can set the coloring ..
index=main sourcetype="Perfmon:*"
| lookup lookupname host OUTPUT hostType
| where isnotnull(hostType)
| stats count as Events_count by host,hostType