Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to input .csv lookups in a tstats Heartbeat query?

john_c_calhoun
Explorer
‎06-12-2023 08:47 AM

Hello! Rather than manually specifying the indexes I want to perform this heartbeat query on, I was wondering if there was a way to input a .csv lookup instead.

| tstats latest(_time) as latest where index="index1" OR index="index2" earliest=-24h by index
| eval recent = if(latest > relative_time(now(),"-1m"),1,0), realLatest = strftime(latest,"%c")
| where recent=0
| fields- recent, latest
| rename realLatest as "Last Event Timestamp"

The .csv would just contain a bunch of index names that we'd want to monitor, but so far I haven't been able to get around the fact that tstats must come first, and that the index argument does not accept complex inputs.

Thanks!

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-12-2023 05:18 PM

Have you tried a subsearch?

| tstats latest(_time) as latest where [ | inputlookup indexes.csv | fields index | format ] earliest=-24h by index
| eval recent = if(latest > relative_time(now(),"-1m"),1,0), realLatest = strftime(latest,"%c")
| where recent=0
| fields- recent, latest
| rename realLatest as "Last Event Timestamp"
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...