Solved: Re: Ho to get search input from csv file

Kwip · ‎04-07-2017

I am having a csv file which contains some production server jobs name to monitor. I want to give those jobs listed in the file as a search string input to the splunk.

Is there any way to achieve it?

I cant put the Jobs in search as JOB1 OR JOB2 OR JOB3 OR and so on. But the job list is more than 60, so i am looking for a way to give all those job names as search input directly. Please let me know which command i need to use for this purpose.

Thanks in Advance.

gcusello · ‎04-07-2017

Hi Kwip,
You have to do the following steps:

create a lookup (e.g. jobs.csv), I suggest to use Lookup Editor App, it's usefule to use as lookup column name the same name of the field in your logs (e.g. (job");
create a lookup definition [Settings -- Lookups -- Lookup Definitions] related to the new lookup;
use lookup to filter your searches.

the search is something like this:

Your_search [ | inputlookup jobs.csv | fields job ]
| ....

If you want to monitor the presence of logs for all lookup values, your search will be something like this:
Your_search

| stats count by job
| append [ | inputlookup jobs.csv | eval count=0| fields job count ]
| stats sum(count) AS Total by job

In this way:

Total=0 for one or more jobs means that there aren't logs for these jobs (you could also trigger an alert for this);
Total>0 means that there are logs for that job.

Bye.
Giuseppe

View solution in original post

gcusello · ‎04-07-2017

Hi Kwip,
You have to do the following steps:

create a lookup (e.g. jobs.csv), I suggest to use Lookup Editor App, it's usefule to use as lookup column name the same name of the field in your logs (e.g. (job");
create a lookup definition [Settings -- Lookups -- Lookup Definitions] related to the new lookup;
use lookup to filter your searches.

the search is something like this:

Your_search [ | inputlookup jobs.csv | fields job ]
| ....

If you want to monitor the presence of logs for all lookup values, your search will be something like this:
Your_search

| stats count by job
| append [ | inputlookup jobs.csv | eval count=0| fields job count ]
| stats sum(count) AS Total by job

In this way:

Total=0 for one or more jobs means that there aren't logs for these jobs (you could also trigger an alert for this);
Total>0 means that there are logs for that job.

Bye.
Giuseppe

DalJeanis · ‎04-07-2017

Generally I prefer to use table rather than fields here, because it ensures there will be no odd internal fields that I don't know about. For inputlookup or inputcsv it might not happen, but we often use the same formula for all kinds of searches that make data, so a habit of using table will pay off in the long run.

Your_search [ | inputlookup jobs.csv | table job ]
 | ....

Kwip - the above command works because the subsearch in the braces [] is implicitly processed by the format command into a string that looks like "( ( job=JOB1 ) OR ( job=JOB2 ) OR ( job=JOB3 ) OR... )", just as if format was explicitly called like this...

Your_search [ | inputlookup jobs.csv | table job | format ]
 | ....

For more details on how it works, see the format command. http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Format

Kwip · ‎07-04-2017

Thank you!!! It works

Ho to get search input from csv file

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

Ho to get search input from csv file

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0