Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I extract a field using "lookup" and a .csv file that doesn't pair to an event?

mdennisAPFCU
Engager
‎06-24-2015 11:30 AM

I'm trying to match event data with preset limits recorded in a .csv file.

My search looks for a host and its percentage usage of disk space. I want to pair it with an arbitrarily set maximum % used that varies by server.
e.g. Host BUMBLEBEE can have 95% disk usage, but ITCHY can only have 90%.

How do I get lookup to pair the maximum usage value from the .csv file to the event data that shows the % disk space used?

This is my search:

index=perfmon source="perfmon:logicaldisk" instance!=_Total instance!=HarddiskVolume1 counter="% Free Space"
|eval "pct_used"=round(100-Value,2)|eval mount=instance
 |eval uniq=host."_".mount|dedup uniq
| stats last("pct_used") AS pct_used by host,mount |lookup disk_thresholds host,mount 
| eval crit_threshold=coalesce(crit_threshold,70) 

| where pct_used > crit_threshold`
0 Karma
Reply

woodcock
Esteemed Legend
‎07-17-2015 10:26 PM

The answer from @lguinn is incorrect; your lookup should work fine but there were a few tweaks that should make your stuff work (better), PROVIDED your lookup table has a field called exactly crit_threshold (it might actually be, for example, crit_threshhold); try this:

index=perfmon source="perfmon:logicaldisk" instance!=_Total instance!=HarddiskVolume1 counter="% Free Space" | eval pct_used=round(100-Value,2) | stats last(pct_used) AS pct_used BY host instance | lookup disk_thresholds host mount AS instance | eval crit_threshold=coalesce(crit_threshold,70) | where pct_used > crit_threshold
0 Karma
Reply

lguinn2
Legend
‎06-24-2015 01:14 PM

The logic of your search is fine. A lookup does not have to match an "event" per se, it matches against a field.

The syntax of your lookup command is wrong. It should be

| lookup disk_thresholds host mount OUTPUT crit_threshold

Assuming that you have uploaded a CSV file and setup a lookup named disk_thresholds with the appropriate fields.

Here is a step by step guide to setting up a lookup.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...