Hi,
I'm bouncing my head against the wall for this (probably) simple question..
I've got a inputlookup "indexers". As the name says.. those are the splunk indexers, but will be more than that in the future. I want to get disc sizes off them with the below serach
|inputlookup indexers | fields host | stats count by host |map search="search (| rest splunk_server=$host$ /services/server/status/partitions-space]")
It all goes well until the map command. The stats gives a nice list off the servers. It goes wrong at the "search (| rest splunk_server=$host$ /services/server/status/partitions-space]" part.
When i try this part off the search.. it strips the | from the search.. and gives nothing. It seems a search command followed with a | will strip the | .. and then de rest search is useless.
What can i do to pass the hostnames from the inputlookup to the |rest search?
Thanx in advance
grts
Jari
Hi Jari,
You don't need to run sub-search for each host. Run rest command first, append lookup results, and use stats to merge.
| rest /services/server/status/partitions-space
| append
[| inputlookup indexers
| fields host
| stats count by host
| eval splunk_server=host]
| stats max(*) as * by splunk_server
| where host="*"
| where host="*" gives results only for hosts in the lookup file.
If this reply helps you, an upvote/like would be appreciated.
Yes.. That's it. Didn't think about changing the order. Thanx again 👍
please accept and upvote answer if it is working.
Hi Jari,
You don't need to run sub-search for each host. Run rest command first, append lookup results, and use stats to merge.
| rest /services/server/status/partitions-space
| append
[| inputlookup indexers
| fields host
| stats count by host
| eval splunk_server=host]
| stats max(*) as * by splunk_server
| where host="*"
| where host="*" gives results only for hosts in the lookup file.
If this reply helps you, an upvote/like would be appreciated.