- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Search with input lookup
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search with input lookup
Hi Team,
Need Help on run search checking server live or not using lookup
boxdata
box_env box_live_state box_location box_model box_os box_patch box_rack box_rfb box_ver host
QA NOTLIVE ABC-DE HPXYZQ RHAS 1234 324 lxmcp 6.9 hostny01
| inputlookup boxdata | search host=hostny01
I want to show process which down only for LIVE servers. Is there a way to use abv lookup to search only Live servers.
index=ab* host=pr host!=old source=processMonitor* appmon="1" instance= apphome =** | search down | stats latest(state) by host, apphome, instance, appmon**
Thanks
HR
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the lookup has a list of servers to search, then like this, with a subsearch:
index=ab* host=pr host!=old source=processMonitor* appmon="1"
[ | inputlookup boxdata | search box_live_state="LIVE" | fields host ]
| stats latest(state) by host, apphome, instance, appmon
Or, if you have a HYUGE number of servers in the file, like this:
index=ab* host=pr host!=old source=processMonitor* appmon="1"
| lookup boxdata host | search box_live_state="LIVE"
| stats latest(state) by host, apphome, instance, appmon
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Wood,
Thanks for responding..
Is the anyway to show lookup table columns
index=ab* host=pr host!=old source=processMonitor* appmon="1" instance=** apphome =** [ | inputlookup boxdata | search box_live_state=NOTLIVE | fields host ]
| stats latest(state) as status by host, apphome, instance, appmon
sample
| inputlookup boxdata | search host=hostny01
boxdata
box_env box_live_state box_location box_model box_os box_patch box_rack box_rfb box_ver host
QA NOTLIVE ABC-DE HPXYZQ RHAS 1234 324 lxmcp 6.9 hostny01
Thanks
HR
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have merely restated your original question with no additional detail or clarity. have you even tried my answers? If they do not work, explain why.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Wood,
Answer 2 - Incorrect syntax
index=ab* host=pr host!=old source=processMonitor* appmon="1" instance=* apphome =* | search down | inputlookup boxdata host | search box_live_state="LIVE" | stats latest(state) by host, apphome, instance, appmon
Error in 'inputlookup' command: Invalid argument: 'host'
I tried your answers as shown below. But what i want is how to show box_live_state column in the output
index=ab* host=pr host!=old source=processMonitor* appmon="1" instance=* apphome =* | search down [ | inputlookup boxdata | search box_live_state=NOTLIVE | fields host | table box_live_state ]
| stats latest(state) as status by host, apphome, instance, appmon
sample
| inputlookup boxdata | search host=hostny01
boxdata
box_env box_live_state box_location box_model box_os box_patch box_rack box_rfb box_ver host
QA NOTLIVE ABC-DE HPXYZQ RHAS 1234 324 lxmcp 6.9 hostny01
Thanks
HR
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just cut-and-paste it. You changed my |lookup boxdata host to |inputlookup boxdata host which, as Splunk says, is incorrect.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi harsush,
Let me understand better:
you want to find if a server that you have in a lookup is up or down, correct?
if this is your need, try something like this:
index=_internal
| eval host=upper(host)
| stats count by host
| append [ | inputlookup your_lookup.csv | eval count=0, host=upper(host) | fields host ]
| stats sum(count) AS Total by host
if Total=0 host isn't sending logs, if Total>0 host is sending logs.
You can also filter the host list in you lookup.
Using this search you can create an alert or put results in a dashboard showing status also in graphic mode.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Cusello,
Thanks for responding..
Iam bad in explaining 🙂 .. sorry for the confusion .. I hope this time its clear what iam expecting
Below Search1 will gives me process which are down on diff hosts.. But what i want is to filter out Hosts which are not live ( | inputlookup boxdata | search host=hostny01 )
Search1
index=ab* host=pr host!=old source=processMonitor* appmon="1" instance=* apphome =* | search down | stats latest(state) by host, apphome, instance, appmon
How can i check filter hosts which are not live after getting output from abv search ?
| inputlookup boxdata | search host=hostny01
boxdata
box_env box_live_state box_location box_model box_os box_patch box_rack box_rfb box_ver host
QA NOTLIVE ABC-DE HPXYZQ RHAS 1234 324 lxmcp 6.9 hostny01
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok try something like this:
index=ab* host=pr host!=old source=processMonitor* appmon="1" instance=* apphome =* [ | inputlookup boxdata | search box_live_state=LIVE | fields host ]
| stats latest(state) by host, apphome, instance, appmon
beware to the case of host in search and subsearch: if you're not sure of upper or lower case, you have to transform hosts both in search and subsearch.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Cusello,
Thanks for responding..
Is the anyway to show lookup table columns
index=ab* host=pr host!=old source=processMonitor* appmon="1" instance=** apphome =** [ | inputlookup boxdata | search box_live_state=NOTLIVE | fields host ]
| stats latest(state) as status by host, apphome, instance, appmon
sample
| inputlookup boxdata | search host=hostny01
boxdata
box_env box_live_state box_location box_model box_os box_patch box_rack box_rfb box_ver host
QA NOTLIVE ABC-DE HPXYZQ RHAS 1234 324 lxmcp 6.9 hostny01
Thanks
HR
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
