use inputlookup with field index and count as sub ...

bapun18 · ‎09-04-2019

I have an inputlookup which have 2 fields index and count, I need to create an alert so that alert will trigger when we have greater value of real index values mentioned over count field in lookup.

I have used following query but I want to get pass the index name as a sub search to inputlookup.

|inputlookup idx_myvdf.csv | table index | stats count by index | where count  > 0

I have tried below query as well, but still no result, want to pass index name mentioned under lookup and their actual count and then I want to put where count > actual_count

|tstats c by index where index[|inputlookup idx_myvdf.csv | rename index AS actual_index | fields actual_index] | table indexcount actual_index actual_count

Please suggest it's urgent
alt text

renjith_nair · ‎09-04-2019

@bapun18,

Try

| tstats count where (index=* OR index=_*) by index
| lookup idx_myvdf.csv index OUTPUT count as threshold
| appendcols [|inputlookup idx_myvdf.csv|where index="default"|fields count|rename count as default|filldown default
| eval threshold=coalesce(threshold,default)|where count > threshold

---
What goes around comes around. If it helps, hit it with Karma 🙂

use inputlookup with field index and count as sub search

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Good Sourcetype Naming

Are you a member of the Splunk Community?

use inputlookup with field index and count as sub search

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Good Sourcetype Naming