Solved: Can you help me with a base search that would repl...

vinaykata · ‎09-25-2018

Hi,
I have a base search and I wanted to replace inputlookup instead of host=* in the below search

index=windows (sourcetype=WinHostMon OR sourcetype=WMI:CPU)  host=*
| eval TotalPhysicalMemoryKB = round(TotalPhysicalMemoryKB/1024) 
| eval TotalPhysicalMemoryKB = round(TotalPhysicalMemoryKB/1000,1)
| stats latest(NumberOfLogicalProcessors) as "CPU Count" latest(TotalPhysicalMemoryKB) as TotalPhysicalMemoryGB by host 
| join host [ search index=perfmon object="LogicalDisk" counter="% Free Space" OR counter="Free Megabytes" | search instance=_Total
| eval TotalPhysicalMemoryKB = round(TotalPhysicalMemoryKB/1024) 
| eval TotalPhysicalMemoryKB = round(TotalPhysicalMemoryKB/1000,1)
| eval diskInfoA = if(counter=="% Free Space",mvzip(instance,Value),null())
| eval diskInfoA1 = if(isnotnull(diskInfoA),mvzip(diskInfoA,counter),null())
| eval diskInfoB = if(counter=="Free Megabytes",mvzip(instance,Value),null())
| eval diskInfoB1 = if(isnotnull(diskInfoB),mvzip(diskInfoB,counter),null())
| stats list(diskInfoA1) AS "diskInfoA1", list(diskInfoB1) AS "diskInfoB1" by host, instance, _time
| makemv diskInfoA1 delim=","
| makemv diskInfoB1 delim=","
| eval freePerc = mvindex(diskInfoA1,1)
| eval freeMB = mvindex(diskInfoB1,1)
| eval usage=round(100-freePerc,2)
| eval GB = round(freeMB/1024,2)
| eval totalDiskGB = GB/(freePerc/100)
| stats max(totalDiskGB) AS "Total Disk Size (GB)" by host]
| table host,"CPU Count",TotalPhysicalMemoryGB,"Total Disk Size (GB)" | fillnull value=N/A | rename host As Server

Details of inputlookup:

it has 3 fields with names

Application_Name Server_Name Tier_Name
AAA xyz.fqdn web_Server

somesoni2 · ‎09-25-2018

Give this a try

index=windows (sourcetype=WinHostMon OR sourcetype=WMI:CPU) [| inputlookup YourLookupTableNameHere | stats count by Server_Name | table Server_Name | rename Server_Name  as host ]
| eval TotalPhysicalMemoryKB = round(TotalPhysicalMemoryKB/1024) 
| eval TotalPhysicalMemoryKB = round(TotalPhysicalMemoryKB/1000,1)
| stats latest(NumberOfLogicalProcessors) as "CPU Count" latest(TotalPhysicalMemoryKB) as TotalPhysicalMemoryGB by host 
| join host [ search index=perfmon object="LogicalDisk" counter="% Free Space" OR counter="Free Megabytes" [| inputlookup YourLookupTableNameHere | stats count by Server_Name | table Server_Name | rename Server_Name  as host ] | search instance=_Total
| eval TotalPhysicalMemoryKB = round(TotalPhysicalMemoryKB/1024) 
| eval TotalPhysicalMemoryKB = round(TotalPhysicalMemoryKB/1000,1)
| eval diskInfoA = if(counter=="% Free Space",mvzip(instance,Value),null())
| eval diskInfoA1 = if(isnotnull(diskInfoA),mvzip(diskInfoA,counter),null())
| eval diskInfoB = if(counter=="Free Megabytes",mvzip(instance,Value),null())
| eval diskInfoB1 = if(isnotnull(diskInfoB),mvzip(diskInfoB,counter),null())
| stats list(diskInfoA1) AS "diskInfoA1", list(diskInfoB1) AS "diskInfoB1" by host, instance, _time
| makemv diskInfoA1 delim=","
| makemv diskInfoB1 delim=","
| eval freePerc = mvindex(diskInfoA1,1)
| eval freeMB = mvindex(diskInfoB1,1)
| eval usage=round(100-freePerc,2)
| eval GB = round(freeMB/1024,2)
| eval totalDiskGB = GB/(freePerc/100)
| stats max(totalDiskGB) AS "Total Disk Size (GB)" by host]
| table host,"CPU Count",TotalPhysicalMemoryGB,"Total Disk Size (GB)" | fillnull value=N/A | rename host As Server

View solution in original post

somesoni2 · ‎09-25-2018

Give this a try

index=windows (sourcetype=WinHostMon OR sourcetype=WMI:CPU) [| inputlookup YourLookupTableNameHere | stats count by Server_Name | table Server_Name | rename Server_Name  as host ]
| eval TotalPhysicalMemoryKB = round(TotalPhysicalMemoryKB/1024) 
| eval TotalPhysicalMemoryKB = round(TotalPhysicalMemoryKB/1000,1)
| stats latest(NumberOfLogicalProcessors) as "CPU Count" latest(TotalPhysicalMemoryKB) as TotalPhysicalMemoryGB by host 
| join host [ search index=perfmon object="LogicalDisk" counter="% Free Space" OR counter="Free Megabytes" [| inputlookup YourLookupTableNameHere | stats count by Server_Name | table Server_Name | rename Server_Name  as host ] | search instance=_Total
| eval TotalPhysicalMemoryKB = round(TotalPhysicalMemoryKB/1024) 
| eval TotalPhysicalMemoryKB = round(TotalPhysicalMemoryKB/1000,1)
| eval diskInfoA = if(counter=="% Free Space",mvzip(instance,Value),null())
| eval diskInfoA1 = if(isnotnull(diskInfoA),mvzip(diskInfoA,counter),null())
| eval diskInfoB = if(counter=="Free Megabytes",mvzip(instance,Value),null())
| eval diskInfoB1 = if(isnotnull(diskInfoB),mvzip(diskInfoB,counter),null())
| stats list(diskInfoA1) AS "diskInfoA1", list(diskInfoB1) AS "diskInfoB1" by host, instance, _time
| makemv diskInfoA1 delim=","
| makemv diskInfoB1 delim=","
| eval freePerc = mvindex(diskInfoA1,1)
| eval freeMB = mvindex(diskInfoB1,1)
| eval usage=round(100-freePerc,2)
| eval GB = round(freeMB/1024,2)
| eval totalDiskGB = GB/(freePerc/100)
| stats max(totalDiskGB) AS "Total Disk Size (GB)" by host]
| table host,"CPU Count",TotalPhysicalMemoryGB,"Total Disk Size (GB)" | fillnull value=N/A | rename host As Server

vinaykata · ‎09-25-2018

The same search hasn't worked earlier cause Server_Name field with all the server names are FQDN and the hosts in index are just a server names with out FQDN, SO the field values didn't match from lookup and the index. Then I have made another lookup with out FQDN ending to server names and it worked.

Can you help me with a base search that would replace inputlookup instead of hostname=*?

Advanced Splunk Data Management Strategies

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...