Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why is Lookup before transforming command not prod...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a network attributes sheet which contains all the details of the network devices across the enterprise, and i am looking to calculate the utilisation on those devices. FOr ex : i have to calculate bandwidth utilisation which requires two fields SPEED and incoming bytes. I have speed defined in a lookup for a site and for the same site i am having the incoming bytes in my index. I am trying to do a lookup but for some reason it doesnt produces the results , i tried to reproduce using makeresults and they work, but not the below query. It doesnt even produces any results . What could be the issue.
index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(Location)?(?<Site>\d{4})"
| lookup network_attributes.csv Site OUTPUT Tunnel100_Down_or_In_Speed
Testing using makeresults***
| makeresults | eval Site=tonumber(0115) | lookup network_attributes.csv Site OUTPUT Tunnel100_Down_or_In_Speed
The above gives me the results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does this give you a list of 4-digit Site values?
index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(Location)?(?<Site>\d{4})"
| stats values(Site) BY Location
If not, then either you do not have Location fields or you do not have the correct rex. In so, I would try this:
index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(?:Location)?(?<Site>\d+)"
| lookup network_attributes.csv Site OUTPUT Tunnel100_Down_or_In_Speed
And if not that, then maybe this:
index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(?:Location)?(?<Site>\d+)"
| eval Site=tonumber(Site)
| lookup network_attributes.csv Site OUTPUT Tunnel100_Down_or_In_Speed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does this give you a list of 4-digit Site values?
index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(Location)?(?<Site>\d{4})"
| stats values(Site) BY Location
If not, then either you do not have Location fields or you do not have the correct rex. In so, I would try this:
index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(?:Location)?(?<Site>\d+)"
| lookup network_attributes.csv Site OUTPUT Tunnel100_Down_or_In_Speed
And if not that, then maybe this:
index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(?:Location)?(?<Site>\d+)"
| eval Site=tonumber(Site)
| lookup network_attributes.csv Site OUTPUT Tunnel100_Down_or_In_Speed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So what did you end up doing? Where was the problem?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
