Strcat and lookups

mcwomble · ‎04-02-2012

I have a query regarding the use of the strcat functionality. The following search is used to generate and alarm condition.

index="ft" ftp | stats  count(eval(status="failed")) as fail_cnt   count(eval(status="success")) as success_cnt by user | strcat "[OPS:FTP:CRITICAL]{NODE:MON1}SFTP Connectivity " user host "  Please raise incident with userdescription" "userdetails ALARM_DESCRIPTION | eval CLEAR=case(success_cnt>0, "1")

It works fine except that the userdetails and userdescription within the strcat argument will not populate. Userdetails and userdescription are lookups from a file (using the user field) which are valid and will populate if defined in a table i.e

| table user success_cnt failed_cnt userdetails userdescription

Any help on this would be appreciated.

gkanapathy · ‎04-03-2012

It looks to me like you have mismatched " (quote) marks, but maybe that was just transcribed wrong. Use the eval + or . operators instead of strcat:

... | eval ALARM_DESCRIPTION = "String1" + user + host + " xyz" | ...

gkanapathy · ‎04-03-2012

That is as designed. stats only outputs field specifically computed, and the split-by fields. You should either run the lookup again, or use first(fieldname) as fieldname in stats.

mcwomble · ‎04-03-2012

The problem here seems to be that no fields are passed on after the stats command.

Strcat and lookups

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

SignalFlow: What? Why? How?