I am trying to build a search that will display the Process status in each server.
i have a lookup table called ipservices:
host,IPService,Process
server1,smtp,smtp
server1,pexa_jboss,jboss
server1,sshd,sshd
server1,splunk_forwarder,splunkd
server2,bipbroker,bipbroker
server2,bipservice,bipservice
server2,biphttplistener,biphttplistener
server2,sshd,sshd
server2,splunk_forwarder,splunkd
server3,bipbroker,bipbroker
server3,bipservice,bipservice
server3,biphttplistener,biphttplistener
server3,sshd,sshd
server3,splunk_forwarder,splunkd
server4,smtp,smtp
server4,sshd,sshd
server4,pexa_jboss,jboss
server4,splunk_forwarder,splunkd
server5,smtp,smtp
server5,sshd,sshd
server5,pexa_jboss,jboss
server5,splunk_forwarder,splunkd
The search should get the value in Process and host Field and then input them to the search where I use a match command which indicates if the process exists or not. 1 indicates that the process exists and is running, while 0 means does not exist and the process is down.
Can someone help me to build the search to achieve this?
I tried to use below search, but cant see any result.
sourcetype=ps [| inputlookup ipservices | table Process] | eval processexists=if(match(_raw,"[| inputlookup ipservices | table Process]"),1,0) | stats max(processexists) as Status by host
Please help.
thanks
From your data,searching based on lookup fields and adding fields to results from a lookup are two separate things right? So you will need to do two steps to achieve this right?You may configure your lookup as an automatic lookup on your data right? That'll allow you to leave off the explicitly "| lookup " command from your first search right?
Second, run a search like this right:
index=foo sourcetype=bar [inputlookup mylookup | fields month | rename month as date_month] | ...
Or I guess you want to use a GUI right?This can also be done via the GUI Admin Manager right?. It takes a string of search to restrict searches right?. I did a preliminary test right? And it worked right. In that field, try this right?:
..|rest /services/authentication/current-context | table username | lookup user_auths.csv user AS username OUTPUT host | table host | format "" "(" "OR" ")" "" ""
Replace "user_auths.csv" with your lookup name or filename. Update the "user" field to be whatever is listed in that csv.
follow me: https://a7medkamal.wordpress.com/