Splunk Search

How to search the status of processes in each server using a lookup table?

gantonio
New Member

I am trying to build a search that will display the Process status in each server.
i have a lookup table called ipservices:

host,IPService,Process
server1,smtp,smtp
server1,pexa_jboss,jboss
server1,sshd,sshd
server1,splunk_forwarder,splunkd
server2,bipbroker,bipbroker
server2,bipservice,bipservice
server2,biphttplistener,biphttplistener
server2,sshd,sshd
server2,splunk_forwarder,splunkd
server3,bipbroker,bipbroker
server3,bipservice,bipservice
server3,biphttplistener,biphttplistener
server3,sshd,sshd
server3,splunk_forwarder,splunkd
server4,smtp,smtp
server4,sshd,sshd
server4,pexa_jboss,jboss
server4,splunk_forwarder,splunkd
server5,smtp,smtp
server5,sshd,sshd
server5,pexa_jboss,jboss
server5,splunk_forwarder,splunkd

The search should get the value in Process and host Field and then input them to the search where I use a match command which indicates if the process exists or not. 1 indicates that the process exists and is running, while 0 means does not exist and the process is down.

Can someone help me to build the search to achieve this?
I tried to use below search, but cant see any result.

sourcetype=ps  [| inputlookup ipservices | table Process] | eval processexists=if(match(_raw,"[| inputlookup ipservices | table Process]"),1,0) | stats max(processexists) as Status by host

Please help.

thanks

0 Karma

Ahmed67
Engager

From your data,searching based on lookup fields and adding fields to results from a lookup are two separate things right? So you will need to do two steps to achieve this right?You may configure your lookup as an automatic lookup on your data right? That'll allow you to leave off the explicitly "| lookup " command from your first search right?
Second, run a search like this right:

 index=foo sourcetype=bar [inputlookup mylookup | fields month | rename month as date_month] | ...

Or I guess you want to use a GUI right?This can also be done via the GUI Admin Manager right?. It takes a string of search to restrict searches right?. I did a preliminary test right? And it worked right. In that field, try this right?:

..|rest /services/authentication/current-context | table username | lookup user_auths.csv user AS username OUTPUT host | table host | format "" "(" "OR" ")" "" ""

Replace "user_auths.csv" with your lookup name or filename. Update the "user" field to be whatever is listed in that csv.

follow me: https://a7medkamal.wordpress.com/

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...