- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why is Lookup before transforming command not prod...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a network attributes sheet which contains all the details of the network devices across the enterprise, and i am looking to calculate the utilisation on those devices. FOr ex : i have to calculate bandwidth utilisation which requires two fields SPEED and incoming bytes. I have speed defined in a lookup for a site and for the same site i am having the incoming bytes in my index. I am trying to do a lookup but for some reason it doesnt produces the results , i tried to reproduce using makeresults and they work, but not the below query. It doesnt even produces any results . What could be the issue.
index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(Location)?(?<Site>\d{4})"
| lookup network_attributes.csv Site OUTPUT Tunnel100_Down_or_In_Speed
Testing using makeresults***
| makeresults | eval Site=tonumber(0115) | lookup network_attributes.csv Site OUTPUT Tunnel100_Down_or_In_Speed
The above gives me the results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does this give you a list of 4-digit Site values?
index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(Location)?(?<Site>\d{4})"
| stats values(Site) BY Location
If not, then either you do not have Location fields or you do not have the correct rex. In so, I would try this:
index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(?:Location)?(?<Site>\d+)"
| lookup network_attributes.csv Site OUTPUT Tunnel100_Down_or_In_Speed
And if not that, then maybe this:
index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(?:Location)?(?<Site>\d+)"
| eval Site=tonumber(Site)
| lookup network_attributes.csv Site OUTPUT Tunnel100_Down_or_In_Speed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does this give you a list of 4-digit Site values?
index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(Location)?(?<Site>\d{4})"
| stats values(Site) BY Location
If not, then either you do not have Location fields or you do not have the correct rex. In so, I would try this:
index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(?:Location)?(?<Site>\d+)"
| lookup network_attributes.csv Site OUTPUT Tunnel100_Down_or_In_Speed
And if not that, then maybe this:
index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(?:Location)?(?<Site>\d+)"
| eval Site=tonumber(Site)
| lookup network_attributes.csv Site OUTPUT Tunnel100_Down_or_In_Speed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So what did you end up doing? Where was the problem?
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
