Splunk ITSI
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to run a query from a lookup file?

SapthagiriAavik
Explorer
‎07-17-2018 02:27 AM

I am working on a threshold value dashboard for many index and sources, i want to show whether those parameters running under a threshold value or not. so i have created a lookup file with two fields , first fields describes kpi name and second field is a query to determine threshold value.

lookup file format is something like this,

KPI_Name Query
KPI_001 "index=ph3 sourcetype=dbmon| timechart avg(TransactionsPerSec) as avg_trans | eval "Threshold value" = 10100 |eval comd_val=if(avg_trans<="Threshold value","Under_Control","Critical")|table comd_val"

KPI_002 "index=ph3 sourcetype=CPUmon|........................etc"

KPI_003 "index=ph3 sourcetype=unix_top|........................etc"
. .
. .
KPI_050 "index=ph3 sourcetype=unix_cpu|........................etc "

so the field query value in lookup file is different in every case but output is either critical or under control.

i want to show each kpi and correspondent threshold value either critical or under_control in a same panel. please help me.

Tags (2)
0 Karma
Reply

renjith_nair
Legend
‎07-17-2018 04:10 AM

You could use the lookup only for KPI_Name and Threshold and does the rest of the calculation in main search itself.
For e.g.

index=ph3 sourcetype=dbmon |"your other search terms"|lookup your_lookup_table_name KPI_Name OUTPUT Threshold 
|eval comd_val=if(avg_trans<="Threshold ","Under_Control","Critical")|table comd_val"
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

SapthagiriAavik
Explorer
‎07-17-2018 10:28 PM

every query in that lookup file is completely different. i want a dashboard to show all of the different threshold condition in a single panel, Now i have 50 different queries in lookup file in future it may reach 150.so manually writing query in panel seems very tough

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...