Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How come this doesn't work given indexers.csv is a list of Splunk servers with role indexer?

albledsoe
Engager
‎02-22-2023 02:35 PM

How come this doesn't work given indexers.csv is a list of Splunk servers with role Indexer?

| inputlookup indexers.csv| rename splunk_server as Indxr| foreach Indxr [search index=_introspection sourcetype=splunk_resource_usage component=IOStats host=Indxr | eval reads_ps = 'data.reads_ps'| eval writes_ps = 'data.writes_ps' | eval writes_ps=avg(write_ps) | eval reads_ps=avg(reads_ps)]

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎02-22-2023 02:52 PM

That is not what foreach is designed for. It looks like you want to run a search using the value of each splunk_server in your lookup, so use a subsearch like this

index=_introspection sourcetype=splunk_resource_usage component=IOStats [
  | inputlookup indexers.csv 
  | rename splunk_server as host 
]
| eval reads_ps = 'data.reads_ps' 
| eval writes_ps = 'data.writes_ps'

I have left out the last two avg() statements as that is not how eval works - eval is to perform an action on a single event. If you want to create averages, use some form of stats command, e.g.

| stats avg(write_ps) as writes_ps avg(reads_ps) as reads_ps by host

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎02-22-2023 02:52 PM

That is not what foreach is designed for. It looks like you want to run a search using the value of each splunk_server in your lookup, so use a subsearch like this

index=_introspection sourcetype=splunk_resource_usage component=IOStats [
  | inputlookup indexers.csv 
  | rename splunk_server as host 
]
| eval reads_ps = 'data.reads_ps' 
| eval writes_ps = 'data.writes_ps'

I have left out the last two avg() statements as that is not how eval works - eval is to perform an action on a single event. If you want to create averages, use some form of stats command, e.g.

| stats avg(write_ps) as writes_ps avg(reads_ps) as reads_ps by host
0 Karma
Reply
Solved! Jump to solution

albledsoe
Engager
‎02-22-2023 03:21 PM

Yep, that's it. It's been sometime since I wrote SPL.  I had been using the REST API in Bash and Javascript. But many don't want to run my scripts. So I am trying to convert to copy/paste SPL. Thanks for the quick tutorial.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...