How to run a query from a lookup file?

SapthagiriAavik · ‎07-17-2018

I am working on a threshold value dashboard for many index and sources, i want to show whether those parameters running under a threshold value or not. so i have created a lookup file with two fields , first fields describes kpi name and second field is a query to determine threshold value.

lookup file format is something like this,

KPI_Name Query
KPI_001 "index=ph3 sourcetype=dbmon| timechart avg(TransactionsPerSec) as avg_trans | eval "Threshold value" = 10100 |eval comd_val=if(avg_trans<="Threshold value","Under_Control","Critical")|table comd_val"

KPI_002 "index=ph3 sourcetype=CPUmon|........................etc"

KPI_003 "index=ph3 sourcetype=unix_top|........................etc"
. .
. .
KPI_050 "index=ph3 sourcetype=unix_cpu|........................etc "

so the field query value in lookup file is different in every case but output is either critical or under control.

i want to show each kpi and correspondent threshold value either critical or under_control in a same panel. please help me.

renjith_nair · ‎07-17-2018

You could use the lookup only for KPI_Name and Threshold and does the rest of the calculation in main search itself.
For e.g.

index=ph3 sourcetype=dbmon |"your other search terms"|lookup your_lookup_table_name KPI_Name OUTPUT Threshold 
|eval comd_val=if(avg_trans<="Threshold ","Under_Control","Critical")|table comd_val"

Happy Splunking!

SapthagiriAavik · ‎07-17-2018

every query in that lookup file is completely different. i want a dashboard to show all of the different threshold condition in a single panel, Now i have 50 different queries in lookup file in future it may reach 150.so manually writing query in panel seems very tough

How to run a query from a lookup file?

Platform Newsletter Highlights | March 2023

Enterprise Security Content Updates (ESCU) - New Releases

Thought Leaders are Validating Your Hard Work and Training Rigor