|inputlookup ambp1.csv|fields host,cap| map maxsearches=10000000 search="|cpt_x disk $host$ %cap%|eval UsedPct=(max(used_mb)/(max(used_mb)+min(avail_mb))*100)"
So ambp1.csv is a list with 2 columns : host, cap
And I'm trying to run every row of this csv file and put it through a Python script cpt_x disk that takes
<host name> "cap" | ... format to output ONE result from ONE row.
I am stuck big time here.
I would appreciate any input from you guys if you catch anything from the line above!
Jack
Your percent characters %
should be dollar characters $
like this and you cannot use max
outside of stats
or similar (streamed set of events). I am guessing that something like this is what you are trying to do:
| inputlookup ambp1.csv|fields host,cap| map maxsearches=10000000 search="|cpt_x disk $host$ $cap$" |stats max(used_mb) max(used_mb) min(avail_mb) | eval UsedPct=(max(used_mb)/(max(used_mb)+min(avail_mb))*100)
You are definitely going to hate the performance of this kazillion individual searches.
Why don't you just make your python script a macro and stream it directly like this:
| inputlookup ambp1.csv | `cpt_x("disk", host, cap)`| stats max(used_mb) max(used_mb) min(avail_mb) | eval UsedPct=(max(used_mb)/(max(used_mb)+min(avail_mb))*100)
Your percent characters %
should be dollar characters $
like this and you cannot use max
outside of stats
or similar (streamed set of events). I am guessing that something like this is what you are trying to do:
| inputlookup ambp1.csv|fields host,cap| map maxsearches=10000000 search="|cpt_x disk $host$ $cap$" |stats max(used_mb) max(used_mb) min(avail_mb) | eval UsedPct=(max(used_mb)/(max(used_mb)+min(avail_mb))*100)
You are definitely going to hate the performance of this kazillion individual searches.
Why don't you just make your python script a macro and stream it directly like this:
| inputlookup ambp1.csv | `cpt_x("disk", host, cap)`| stats max(used_mb) max(used_mb) min(avail_mb) | eval UsedPct=(max(used_mb)/(max(used_mb)+min(avail_mb))*100)
Hi, thanks...
Would I need a before eval?
Would I need a bucket _time span =1 h I mean?
I am unsure what cpt_x
does and what is your end goal so I cannot really answer. As I said, I was making some educated guesses.
I see $host$
and %cap%
- is that supposed to be that way?
Also, this will be horribly inefficient, launching 10000000 searches just to run some python script. Instead, make the python script deal with more than one CSV row on input at a time and just call it directly.