Splunk Search

lookup CSV file and then search server disk performance

ravinayan_acc
Loves-to-Learn Lots

Hi All,

I have done a index search for disk data and then lookup to the CSV to check as per the Application which servers data need to be displayed in the dashboard panel.

can some one suggest me how to get the application data in CSV as per Application and then pull the disk performance data from the index.

Please suggest. as I am do the below. but not able to use the sv_value in index search.

| inputlookup Server_details.csv | search Application="app name"
| stats dc(Server) as "Count of Server", values(Server) as Server by Application
| eval Server = mvjoin(Server, " OR ")
| stats values(Server) as sv_value

Please suggest.

Regards,

Nayan

Labels (2)
Tags (1)
0 Karma

tscroggins
Influencer

@ravinayan_acc 

If we assume you're using Splunk-provided operating system add-ons with performance inputs enabled on default indexes, and your lookup file contains one Server and Application entry per row, you can use this:

tag=performance tag=storage
    [| inputlookup Server_details.csv where Application="app name" 
    | table Server 
    | rename Serer as host ] 
| stats latest(storage_used_percent) by host mount

The tags will limit search results to storage metrics. The subsearch will limit search results to your application servers by application name.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...