Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Static field value
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have created a dashboard to show windows server uptime.
Now I would like to add application name of all servers. For example, Application A is hosted on Server A and Application B is hosted on Server B. I want to show these application in the dashboard corresponding their respective server names.
index = Index host=ServerA OR host=ServerB OR host=ServerC OR host=ServerD OR host=ServerE | eval Uptime_Days = System_Up_Time/86400 | chart max(Uptime_Days) as "System Uptime in Days" by host | sort -Uptime_Days
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A lookup table should do the job. Create a CSV file with an "Application" column and a "Server" column. Then reference the lookup in your query.
index = Index host=ServerA OR host=ServerB OR host=ServerC OR host=ServerD OR host=ServerE
| eval Uptime_Days = System_Up_Time/86400
| chart max(Uptime_Days) as "System Uptime in Days" by host
| sort -Uptime_Days
| lookup servers.csv Server as host OUTPUT Application
| table host Application Uptime_Days
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think this is best achieved with a lookup.
This thread should get you pointed in the right direction:
https://answers.splunk.com/answers/659192/how-to-use-a-lookup-table-in-a-splunk-query.html
Hope that helps!
rmmiller
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A lookup table should do the job. Create a CSV file with an "Application" column and a "Server" column. Then reference the lookup in your query.
index = Index host=ServerA OR host=ServerB OR host=ServerC OR host=ServerD OR host=ServerE
| eval Uptime_Days = System_Up_Time/86400
| chart max(Uptime_Days) as "System Uptime in Days" by host
| sort -Uptime_Days
| lookup servers.csv Server as host OUTPUT Application
| table host Application Uptime_Days
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried as suggested, but not getting any server up time now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Rich, it worked by just tweaking a bit as below :-
index = Index host=ServerA OR host=ServerB OR host=ServerC OR host=ServerD OR host=ServerE
| lookup servers.csv Server as host OUTPUT Application
| eval Uptime_Days = System_Up_Time/86400
| stats max(Uptime_Days) as "System Uptime in Days" by host Application
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Mile High Learning with Splunk University, Denver, Colorado
IT Service Intelligence 5.0 Series: Your Guide to the June Launch
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
