Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why is Lookup before transforming command not prod...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a network attributes sheet which contains all the details of the network devices across the enterprise, and i am looking to calculate the utilisation on those devices. FOr ex : i have to calculate bandwidth utilisation which requires two fields SPEED and incoming bytes. I have speed defined in a lookup for a site and for the same site i am having the incoming bytes in my index. I am trying to do a lookup but for some reason it doesnt produces the results , i tried to reproduce using makeresults and they work, but not the below query. It doesnt even produces any results . What could be the issue.
index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(Location)?(?<Site>\d{4})"
| lookup network_attributes.csv Site OUTPUT Tunnel100_Down_or_In_Speed
Testing using makeresults***
| makeresults | eval Site=tonumber(0115) | lookup network_attributes.csv Site OUTPUT Tunnel100_Down_or_In_Speed
The above gives me the results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does this give you a list of 4-digit Site values?
index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(Location)?(?<Site>\d{4})"
| stats values(Site) BY Location
If not, then either you do not have Location fields or you do not have the correct rex. In so, I would try this:
index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(?:Location)?(?<Site>\d+)"
| lookup network_attributes.csv Site OUTPUT Tunnel100_Down_or_In_Speed
And if not that, then maybe this:
index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(?:Location)?(?<Site>\d+)"
| eval Site=tonumber(Site)
| lookup network_attributes.csv Site OUTPUT Tunnel100_Down_or_In_Speed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does this give you a list of 4-digit Site values?
index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(Location)?(?<Site>\d{4})"
| stats values(Site) BY Location
If not, then either you do not have Location fields or you do not have the correct rex. In so, I would try this:
index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(?:Location)?(?<Site>\d+)"
| lookup network_attributes.csv Site OUTPUT Tunnel100_Down_or_In_Speed
And if not that, then maybe this:
index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(?:Location)?(?<Site>\d+)"
| eval Site=tonumber(Site)
| lookup network_attributes.csv Site OUTPUT Tunnel100_Down_or_In_Speed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So what did you end up doing? Where was the problem?
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...
Accelerating Observability as Code with the Splunk AI Assistant
