No results after executing the query. There is a lookup file called "bd_users_hierarchy.csv" which contains Active Directory users and "mapr_ticket_contacts.csv " where in UseCase information exists....
See more...
No results after executing the query. There is a lookup file called "bd_users_hierarchy.csv" which contains Active Directory users and "mapr_ticket_contacts.csv " where in UseCase information exists. Please check below screenshot and query i have written to find out Top CPU Users and Usecases on all edge nodes. In the inputlookup file called ""mapr_ticket_contacts.csv", Usecases ends with letter "s,q,g,p" need to trim down and get email addresses. For example If i remove the letter "p" Edge Node Information --- Edge_Nodes_All.csv Active Directory Users --- bd_users_hierarchy.csv UseCases -- mapr_ticket_contacts.csv ( Need to trim down letter "s,q,g,p") I have tried with the below splunk query, but not getting results index=imdc_*_os sourcetype=ps1 [|inputlookup Edge_Nodes_All.csv where Environment="*" AND host="*" |fields host] |fields cluster, host, user, total_cpu | join type=inner host [search `gold_mpstat` OR `silver_mpstat` OR `platinum_mpstat` OR `palladium_mpstat` [|inputlookup Edge_Nodes_All.csv where Environment="*" AND host="*" |fields host] |stats max(eval(id+1)) as cores by host] |eval pct_CPU = round(total_cpu/cores,2) |stats max(total_cpu) as total_cpu, max(pct_CPU) as "CPU %" by user,host,cores |table host user cores total_cpu,"CPU %" | search NOT user IN ("root","imdcsup","hadpsup") |sort - "CPU %"|head 10 | join type=left user [| inputlookup bd_users_hierarchy.csv| rename email as user_email | table user,user_email] | join type=left user [| inputlookup mapr_ticket_contacts.csv | eventstats max(Modified_Time) as Modified_Time_max by UseCase | where Modified_Time=Modified_Time_max | eval Modified_Time=if(Modified_Time=0,"Not Updated",strftime(Modified_Time,"%Y-%m-%d %H:%M")) | rename Updated_By as "Last_Updated_By",Modified_Time as "Last_Modified_Time" | rex field=UseCase "(?<UseCase>.*)." | rename UseCase as user | rename Support_Team_DL as user_email | table user,user_email] Appreciate your quick response on the same.