I have a lookup on sourcetype=vipservices
csv file has values like so
jurhash, jurhasfriendlyname
somehashvalue, somehashvalue_friendly_name
Works fine when i am running the lookup on the sourcetype, but when i populate a summary index and try to use the lookup the sourcetype gets renamed to "Stash".
What's the best way to preserve sourcetype or reference original sourcetype for the existing lookup to use against the summary index?
Any other workarounds would work also
Thanks
I've given a couple of options below, but I do have a question: what does your populating search look like? I assumed that you were using sistats ...
Option 1 - you could use the lookup command when you retrieve the data from the summary index
index=yoursummaryindex saved_search=yoursavedsearch
| lookup yourlookupname jurhash OUTPUT juhasfriendlyname
| ... whatever you want to get out ...
Option 2 - put the lookup into the populating search (which I called yoursavedsearch
in option 1):
sourcetype=vipservices | sistats whateverstats by whateverfields jushasfriendlyname
and then the juhasfriendlyname
will be stored, like any other field, in the summary index. You will not need to do the lookup when you retrieve the data from the summary index.
Our populating search was this btw:
index="vip" sourcetype=vipservices
| transaction TR startswith="Operation Start" endswith="Operation End"
| eval elapsed_wait=elapsed_operation-elapsed_request
| sistats count, avg(elapsed_operation) as total-avg, perc80(elapsed_operation) as total-80, perc90(elapsed_operation) as total-90,
perc95(elapsed_operation) as total-95, perc98(elapsed_operation) as total-98, perc99(elapsed_operation) as total-99,max(elapsed_operation) as total-max,
avg(elapsed_responder) as resp-avg, max(elapsed_responder) as resp-max,
avg(elapsed_request) as req-avg, max(elapsed_request) as req-max,
avg(elapsed_wait) as wait-avg, max(elapsed_wait) as wait-max
by host, JURHASH, OP
I've given a couple of options below, but I do have a question: what does your populating search look like? I assumed that you were using sistats ...
Option 1 - you could use the lookup command when you retrieve the data from the summary index
index=yoursummaryindex saved_search=yoursavedsearch
| lookup yourlookupname jurhash OUTPUT juhasfriendlyname
| ... whatever you want to get out ...
Option 2 - put the lookup into the populating search (which I called yoursavedsearch
in option 1):
sourcetype=vipservices | sistats whateverstats by whateverfields jushasfriendlyname
and then the juhasfriendlyname
will be stored, like any other field, in the summary index. You will not need to do the lookup when you retrieve the data from the summary index.
option #1 worked, nice that you can call the lookup on demand. thanks very much!