Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How come this doesn't work given indexers.csv is a list of Splunk servers with role indexer?

albledsoe
Engager
‎02-22-2023 02:35 PM

How come this doesn't work given indexers.csv is a list of Splunk servers with role Indexer?

| inputlookup indexers.csv| rename splunk_server as Indxr| foreach Indxr [search index=_introspection sourcetype=splunk_resource_usage component=IOStats host=Indxr | eval reads_ps = 'data.reads_ps'| eval writes_ps = 'data.writes_ps' | eval writes_ps=avg(write_ps) | eval reads_ps=avg(reads_ps)]

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎02-22-2023 02:52 PM

That is not what foreach is designed for. It looks like you want to run a search using the value of each splunk_server in your lookup, so use a subsearch like this

index=_introspection sourcetype=splunk_resource_usage component=IOStats [
  | inputlookup indexers.csv 
  | rename splunk_server as host 
]
| eval reads_ps = 'data.reads_ps' 
| eval writes_ps = 'data.writes_ps'

I have left out the last two avg() statements as that is not how eval works - eval is to perform an action on a single event. If you want to create averages, use some form of stats command, e.g.

| stats avg(write_ps) as writes_ps avg(reads_ps) as reads_ps by host

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎02-22-2023 02:52 PM

That is not what foreach is designed for. It looks like you want to run a search using the value of each splunk_server in your lookup, so use a subsearch like this

index=_introspection sourcetype=splunk_resource_usage component=IOStats [
  | inputlookup indexers.csv 
  | rename splunk_server as host 
]
| eval reads_ps = 'data.reads_ps' 
| eval writes_ps = 'data.writes_ps'

I have left out the last two avg() statements as that is not how eval works - eval is to perform an action on a single event. If you want to create averages, use some form of stats command, e.g.

| stats avg(write_ps) as writes_ps avg(reads_ps) as reads_ps by host
0 Karma
Reply
Solved! Jump to solution

albledsoe
Engager
‎02-22-2023 03:21 PM

Yep, that's it. It's been sometime since I wrote SPL.  I had been using the REST API in Bash and Javascript. But many don't want to run my scripts. So I am trying to convert to copy/paste SPL. Thanks for the quick tutorial.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...