Splunk IT Service Intelligence

How to run a query from a lookup file?


I am working on a threshold value dashboard for many index and sources, i want to show whether those parameters running under a threshold value or not. so i have created a lookup file with two fields , first fields describes kpi name and second field is a query to determine threshold value.

lookup file format is something like this,

KPI_Name Query
KPI_001 "index=ph3 sourcetype=dbmon| timechart avg(TransactionsPerSec) as avg_trans | eval "Threshold value" = 10100 |eval comd_val=if(avg_trans<="Threshold value","Under_Control","Critical")|table comd_val"

KPI_002 "index=ph3 sourcetype=CPUmon|........................etc"

KPI_003 "index=ph3 sourcetype=unix_top|........................etc"
. .
. .
KPI_050 "index=ph3 sourcetype=unix_cpu|........................etc "

so the field query value in lookup file is different in every case but output is either critical or under control.

i want to show each kpi and correspondent threshold value either critical or under_control in a same panel. please help me.

Tags (2)
0 Karma


You could use the lookup only for KPI_Name and Threshold and does the rest of the calculation in main search itself.
For e.g.

index=ph3 sourcetype=dbmon |"your other search terms"|lookup your_lookup_table_name KPI_Name OUTPUT Threshold 
|eval comd_val=if(avg_trans<="Threshold ","Under_Control","Critical")|table comd_val"
Happy Splunking!
0 Karma


every query in that lookup file is completely different. i want a dashboard to show all of the different threshold condition in a single panel, Now i have 50 different queries in lookup file in future it may reach 150.so manually writing query in panel seems very tough

0 Karma
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...