Splunk ITSI
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk IT Service Intelligence: Is using inputlookup as a base search for KPI appropriate?

TheJagoff
Communicator
‎12-07-2016 11:09 AM

Hello,

I am attempting to use a CSV file as an inputlookup as a base search in Splunk IT Service Intelligence (ITSI). The search runs fine in the Base Search Editor:

|inputlookup lookup_assets.csv |fields public_table

and I get around 100 returns such as:

public_table
Asset1
Asset2
Asset3
...
Asset93

For the next step: I go to add the public_table as a metric for a distinct count, but I don't get any results when I attempt to set the thresholds.

Question - is using an inputlookup table in this manner valid? If so, what am I doing incorrectly?

Many thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

TheJagoff
Communicator
‎12-08-2016 08:51 AM

I will answer my own question...
The following will actually work as a search for a KPI...

|inputlookup lookup_assets.csv |stats dc(public_table) AS CriticalApps| eval _time = now()

But - after getting some more information from the client; this is not an efficient method for a KPI that will be executed every 5 minutes. This input lookup table is used for further calculations for a KPI that gathers more information so the best way to display this information is as an adhoc widget in a glass table.

So yes, it can be done - no it's not the best way of doing things if it is only going to be used for visual information via Glass Table in ITSI.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

TheJagoff
Communicator
‎12-08-2016 08:51 AM

I will answer my own question...
The following will actually work as a search for a KPI...

|inputlookup lookup_assets.csv |stats dc(public_table) AS CriticalApps| eval _time = now()

But - after getting some more information from the client; this is not an efficient method for a KPI that will be executed every 5 minutes. This input lookup table is used for further calculations for a KPI that gathers more information so the best way to display this information is as an adhoc widget in a glass table.

So yes, it can be done - no it's not the best way of doing things if it is only going to be used for visual information via Glass Table in ITSI.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...