Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to restrict license report to slaves via lookup?

a212830
Champion
‎11-04-2016 07:42 AM

Hi,

I want to run reports against certain slaves reporting into the license manager, and filter them via a lookup. Here's the existing search - is there a way to filter them via lookup and slave name (not guid) ?

index=_internal source=*license_usage.log type="RolloverSummary"   | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | eval slave_guid=slave | stats max(b) AS volume by slave_guid, _time  | join type=outer slave_guid [rest splunk_server=local /services/licenser/slaves | rename label AS slave_name title AS slave_guid | table slave_guid slave_name] | eval slave_name = if(isnotnull(slave_name),slave_name,"GUID: ".slave_guid) | timechart span=1d max(volume) AS "volume" by slave_name fixedrange=false limit=1000| join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <>=round('<>'/1024/1024/1024, 3)]
0 Karma
Reply

somesoni2
Revered Legend
‎11-04-2016 08:44 AM

Try this

1) Run following search to generate a lookup with all license slaves and corresponding GUID. I would create a scheduled saved search to get this lookup table (say license_slaves.csv) updated daily.

 | rest splunk_server=local /services/licenser/slaves | rename label AS slave_name title AS slave_guid | table slave_guid slave_name | outputlookup license_slaves.csv

2) Update your dashboard like this

a) add the data input (multiselect) to use the lookup

<input type="multiselect" token="slaves">
      <label>License Slaves</label>
      <choice value="*">All Slaves</choice>
      <search>
        <query>| inputlookup license_slaves.csv | table slave_guid slave_name</query>
      </search>
      <fieldForLabel>slave_name</fieldForLabel>
      <fieldForValue>slave_guid</fieldForValue>
      <default>*</default>
      <prefix>slave=</prefix>
      <delimiter> OR slave=</delimiter>
    </input>

b) Update you dashboard search like this
Updated

index=_internal source=*license_usage.log type="RolloverSummary" $slaves$ | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | stats max(b) AS volume by slave, _time | lookup license_slaves.csv slave_guid as slave OUTPUT slave_name  | eval slave_name = if(isnotnull(slave_name),slave_name,"GUID: ".slave) | timechart span=1d max(volume) AS "volume" by slave_name fixedrange=false limit=1000| join type=outer _time [search index=_internal source=license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff | foreach  * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
0 Karma
Reply

a212830
Champion
‎11-04-2016 10:39 AM

Thanks - give me: Mismatched ']'.

0 Karma
Reply

somesoni2
Revered Legend
‎11-04-2016 04:02 PM

Missed removing a bracket. Try the updated answer now.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...