Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Strcat and lookups

mcwomble
Path Finder
‎04-02-2012 11:55 PM

I have a query regarding the use of the strcat functionality. The following search is used to generate and alarm condition. 

index="ft" ftp | stats  count(eval(status="failed")) as fail_cnt   count(eval(status="success")) as success_cnt by user | strcat "[OPS:FTP:CRITICAL]{NODE:MON1}SFTP Connectivity " user host "  Please raise incident with userdescription" "userdetails ALARM_DESCRIPTION | eval CLEAR=case(success_cnt>0, "1")

It works fine except that the userdetails and userdescription within the strcat argument will not populate. Userdetails and userdescription are lookups from a file (using the user field) which are valid and will populate if defined in a table i.e 

| table user success_cnt failed_cnt userdetails userdescription

Any help on this would be appreciated.

Tags (2)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎04-03-2012 12:25 AM

It looks to me like you have mismatched " (quote) marks, but maybe that was just transcribed wrong. Use the eval + or . operators instead of strcat:

... | eval ALARM_DESCRIPTION = "String1" + user + host + " xyz" | ...
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎04-03-2012 10:22 PM

That is as designed. stats only outputs field specifically computed, and the split-by fields. You should either run the lookup again, or use first(fieldname) as fieldname in stats.

0 Karma
Reply

mcwomble
Path Finder
‎04-03-2012 08:50 PM

The problem here seems to be that no fields are passed on after the stats command.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...