Splunk Search

Searching through "inputlookups" - syntax error?

minkyuk
Explorer
|inputlookup ambp1.csv|fields host,cap| map maxsearches=10000000 search="|cpt_x disk $host$ %cap%|eval UsedPct=(max(used_mb)/(max(used_mb)+min(avail_mb))*100)"

So ambp1.csv is a list with 2 columns : host, cap

And I'm trying to run every row of this csv file and put it through a Python script cpt_x disk that takes

<host name> "cap" | ... format to output ONE result from ONE row.

I am stuck big time here.
I would appreciate any input from you guys if you catch anything from the line above!

Jack

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

Your percent characters % should be dollar characters $ like this and you cannot use max outside of stats or similar (streamed set of events). I am guessing that something like this is what you are trying to do:

| inputlookup ambp1.csv|fields host,cap| map maxsearches=10000000 search="|cpt_x disk $host$ $cap$" |stats max(used_mb) max(used_mb) min(avail_mb) | eval UsedPct=(max(used_mb)/(max(used_mb)+min(avail_mb))*100)

You are definitely going to hate the performance of this kazillion individual searches.

Why don't you just make your python script a macro and stream it directly like this:

| inputlookup ambp1.csv | `cpt_x("disk", host, cap)`| stats max(used_mb) max(used_mb) min(avail_mb) | eval UsedPct=(max(used_mb)/(max(used_mb)+min(avail_mb))*100)

View solution in original post

woodcock
Esteemed Legend

Your percent characters % should be dollar characters $ like this and you cannot use max outside of stats or similar (streamed set of events). I am guessing that something like this is what you are trying to do:

| inputlookup ambp1.csv|fields host,cap| map maxsearches=10000000 search="|cpt_x disk $host$ $cap$" |stats max(used_mb) max(used_mb) min(avail_mb) | eval UsedPct=(max(used_mb)/(max(used_mb)+min(avail_mb))*100)

You are definitely going to hate the performance of this kazillion individual searches.

Why don't you just make your python script a macro and stream it directly like this:

| inputlookup ambp1.csv | `cpt_x("disk", host, cap)`| stats max(used_mb) max(used_mb) min(avail_mb) | eval UsedPct=(max(used_mb)/(max(used_mb)+min(avail_mb))*100)

minkyuk
Explorer

Hi, thanks...
Would I need a before eval?

0 Karma

minkyuk
Explorer

Would I need a bucket _time span =1 h I mean?

0 Karma

woodcock
Esteemed Legend

I am unsure what cpt_x does and what is your end goal so I cannot really answer. As I said, I was making some educated guesses.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I see $host$ and %cap% - is that supposed to be that way?

Also, this will be horribly inefficient, launching 10000000 searches just to run some python script. Instead, make the python script deal with more than one CSV row on input at a time and just call it directly.

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...