Splunk IT Service Intelligence

How to run a query from a lookup file?


I am working on a threshold value dashboard for many index and sources, i want to show whether those parameters running under a threshold value or not. so i have created a lookup file with two fields , first fields describes kpi name and second field is a query to determine threshold value.

lookup file format is something like this,

KPI_Name Query
KPI_001 "index=ph3 sourcetype=dbmon| timechart avg(TransactionsPerSec) as avg_trans | eval "Threshold value" = 10100 |eval comd_val=if(avg_trans<="Threshold value","Under_Control","Critical")|table comd_val"

KPI_002 "index=ph3 sourcetype=CPUmon|........................etc"

KPI_003 "index=ph3 sourcetype=unix_top|........................etc"
. .
. .
KPI_050 "index=ph3 sourcetype=unix_cpu|........................etc "

so the field query value in lookup file is different in every case but output is either critical or under control.

i want to show each kpi and correspondent threshold value either critical or under_control in a same panel. please help me.

Tags (2)
0 Karma


You could use the lookup only for KPI_Name and Threshold and does the rest of the calculation in main search itself.
For e.g.

index=ph3 sourcetype=dbmon |"your other search terms"|lookup your_lookup_table_name KPI_Name OUTPUT Threshold 
|eval comd_val=if(avg_trans<="Threshold ","Under_Control","Critical")|table comd_val"
Happy Splunking!
0 Karma


every query in that lookup file is completely different. i want a dashboard to show all of the different threshold condition in a single panel, Now i have 50 different queries in lookup file in future it may reach 150.so manually writing query in panel seems very tough

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...