Splunk Search

Can a eval field name used as string in SPL search ?

Path Finder

i have a lookup hostlist.csv which have list of host names and other metrics related to it.

i need to filter out each host and their corresponding metrics into separate lookup file.
for ex:

|inputlookup hostlist.csv
|eval hostname="abc"
|table $hostname$,metrics
|outputlookup $hostname$.csv

so if i manually change the hostname's value and run the search query, it should save the metrics of that host in a lookup file with above mentioned naming convention. Is it possible in Splunk?

thanks in advance.

1 Solution

Motivator

Hello @gowtham495,

Check out the map command:

The map command is a looping operator that runs a search repeatedly for each input event or result. You can run the map command on a saved search or an ad hoc search.

So try something like this:

| inputlookup hostlist.csv
| dedup hostname
| map search="| inputlookup hostlist.csv | search hostname=$hostname$ | table hostname,metrics | outputlookup $hostname$.csv"

View solution in original post

SplunkTrust
SplunkTrust

@gowtham495 if you have a list of hosts and corresponding metrics, I am unsure why you need to separate them in different csvs? Have you explored KV Store for maintaining the lookup? How many hosts do you have? What kind of metrics do you have per host? Also how frequently your hosts changes and what is the expected growth of hosts?

Also have you tried the following search which returns only one row from master lookup based on hostname?

| inputlookup hostlist.csv where hostname="abc"
| table hostname, metrics
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Path Finder

thanks for your response @niketnilay. Actually i have simplified the problem for easy understanding. real problem is like we have 50 lines of query, we need to create separate csv's for each host (which has a child query take host name and do some more process...that's too technical).
currently we are manually updating host names for 50 occurrences in the query (and repeat this process for 20 other servers ), instead of that we need a user defined token, so that we change host name only once and other places where the host name appear should be taken care of.

hope i made it clear. please tell if some other info is needed.
thank you

0 Karma

Motivator

Hello @gowtham495,

Check out the map command:

The map command is a looping operator that runs a search repeatedly for each input event or result. You can run the map command on a saved search or an ad hoc search.

So try something like this:

| inputlookup hostlist.csv
| dedup hostname
| map search="| inputlookup hostlist.csv | search hostname=$hostname$ | table hostname,metrics | outputlookup $hostname$.csv"

View solution in original post

Path Finder

i tweaked this query to suit my requirements. Worked well !
Thanks a lot @whrg

0 Karma

Esteemed Legend

You will need to use the max_searches parameter of map to scale this.