We have a few servers clustered together and have created a lookup table that combines them.
What I would like to do is use the lookup table in my search results to group the results by the combined name.
CombinedName Host1 Host2
In the above example, I want the results in my search from
Host2 to get combined and show up as
CombinedName. I was attempting the following:
| lookup client-info.csv hostname, combinedName OUTPUT hostname,combinedName |fields + combinedName
I am not getting results back but I should be. Is there something I missed or a better way to do this?
Do you get results from
sourcetype="userlogins" | lookup client-name.csv hostname, combinedName OUTPUT hostname,combinedName | table hostname combinedName responseTime operation? If not, the problem may be with your lookup file. Verify all four fields have values.
@DavidHourani It seems like your solution will work. @richgalloway identified the other issue; the lookup table is lower case but we have the hosts all capitalized. I believe this is causing a mismatch and not getting results back.
@DavidHourani here is my search. combinedName is just a name we use to represent a cluster of hosts. It is defined in the client-name.csv lookup.
| lookup client-name.csv hostname, combinedName OUTPUT hostname,combinedName
| fields + combinedName
| stats avg(responsetime) as averageResponse, count(_raw) AS eventCount by combinedName , operation
so in client-name.csv you have both hostname and combinedName and in your data you only have hostname, right ? If that's the case do the following :
sourcetype="userlogins" | lookup client-name.csv hostname OUTPUT combinedName | stats avg(responsetime) as averageResponse, count AS eventCount by combinedName , operation