Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I extract a field using "lookup" and a .csv file that doesn't pair to an event?

mdennisAPFCU
Engager
‎06-24-2015 11:30 AM

I'm trying to match event data with preset limits recorded in a .csv file.

My search looks for a host and its percentage usage of disk space. I want to pair it with an arbitrarily set maximum % used that varies by server.
e.g. Host BUMBLEBEE can have 95% disk usage, but ITCHY can only have 90%.

How do I get lookup to pair the maximum usage value from the .csv file to the event data that shows the % disk space used?

This is my search:

index=perfmon source="perfmon:logicaldisk" instance!=_Total instance!=HarddiskVolume1 counter="% Free Space"
|eval "pct_used"=round(100-Value,2)|eval mount=instance
 |eval uniq=host."_".mount|dedup uniq
| stats last("pct_used") AS pct_used by host,mount |lookup disk_thresholds host,mount 
| eval crit_threshold=coalesce(crit_threshold,70) 

| where pct_used > crit_threshold`
0 Karma
Reply

woodcock
Esteemed Legend
‎07-17-2015 10:26 PM

The answer from @lguinn is incorrect; your lookup should work fine but there were a few tweaks that should make your stuff work (better), PROVIDED your lookup table has a field called exactly crit_threshold (it might actually be, for example, crit_threshhold); try this:

index=perfmon source="perfmon:logicaldisk" instance!=_Total instance!=HarddiskVolume1 counter="% Free Space" | eval pct_used=round(100-Value,2) | stats last(pct_used) AS pct_used BY host instance | lookup disk_thresholds host mount AS instance | eval crit_threshold=coalesce(crit_threshold,70) | where pct_used > crit_threshold
0 Karma
Reply

lguinn2
Legend
‎06-24-2015 01:14 PM

The logic of your search is fine. A lookup does not have to match an "event" per se, it matches against a field.

The syntax of your lookup command is wrong. It should be

| lookup disk_thresholds host mount OUTPUT crit_threshold

Assuming that you have uploaded a CSV file and setup a lookup named disk_thresholds with the appropriate fields.

Here is a step by step guide to setting up a lookup.

0 Karma
Reply
Get Updates on the Splunk Community!

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...