- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Replacing values outputted from |stats with va...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello!
I am attempting to take a variety of values for a single field and essentially use another search from a different index to rename them to a more human readable value. Both indexes do have a field that contains a 1:1 value that I could potentially use |join, however I am having issues with the stats table output where the search is failing to pull up any data or pulling up all data despite searching for a specific value in a field. I have tried |append as well but not getting the results I expect.
Example:
index=index_ mac_address=* logical_vm=* state=online
| stats latest(physical_vm) as server latest(ip_address) as IP latest(logical_vm) as host by mac_address
| search server=z4c8h2 IP=* host=* name=*
| stats count by server
Output:
mac_address | server | IP | host
xx:xx:xx:xx:xx:xx | z4c8h2 | 10.0.0.0 | vm01.internet.io
index=translate box=z4c8h2
| table human_name
The translate index search shows the name that I would like to replace in the index_ search for server, but cant get the stats table to update correctly.
Any suggestions how to format a join/append or some other method of getting the value to update in the Stats output table?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds like you could use a lookup.
You index that contains the human_name - is that something that could be turned into a lookup, where the values are static - if so, then after your stats you would simply do
...
| lookup server_list.csv server where the lookup file contains the server/human_name.
From your naming of the index, it would appear that this data is designed to be a way to translate box-->human_name - is that right? If so, then lookup would seem an option.
If a lookup is not practical, then you need another solution - note that join is an option - but you always explore alternatives before using join, as it has limitations.
The join option sounds simple enough
| join server [
index=translate
| rename box as server
| fields server human_name
]A stats solution would need to correlation the human_name/box/server/mac_address fields to get it done in a single search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, this inline search got me to where I needed to be.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds like you could use a lookup.
You index that contains the human_name - is that something that could be turned into a lookup, where the values are static - if so, then after your stats you would simply do
...
| lookup server_list.csv server where the lookup file contains the server/human_name.
From your naming of the index, it would appear that this data is designed to be a way to translate box-->human_name - is that right? If so, then lookup would seem an option.
If a lookup is not practical, then you need another solution - note that join is an option - but you always explore alternatives before using join, as it has limitations.
The join option sounds simple enough
| join server [
index=translate
| rename box as server
| fields server human_name
]A stats solution would need to correlation the human_name/box/server/mac_address fields to get it done in a single search.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
