Hi, I am hoping you can help me here. I am running a search out of a saved search using the load job.. I did something like : |loadjob savedsearch="abc:search:my search" This produces a table of field cols that look like host1#maxpings , host2#maxpings etc.. Where max pings s the maximum pings that the host can have. Under these columns are the daily pingNumbers for these hosts. something like : …... -………… host1#23…………. host2#56.1 day1 ………...3………………………..4 day2 ………..10……………………..11 day3 ………..20……………………….50 I need to find out if the average pings for 3 days is more than the numbering the column name. for example : in the above, I need to find for column1, (3+10+20)/3 < 23 and for column2 (4+11+50)/3 < 56.1 … I should then show only those columns, where the avg number is less than the number in the column… i want to pseudocode something like |loadjob savedsearch="abc:search:my search" | stats avg(*) as average(*) | where average < substring-after( col-name,'#') . So that this will show only those columns where the average is less than the number in the column. I am losing hopes on the help from google and splunk docs. Help with this will be highly appreciated. Thanks in advance. dT ... View more

Hi All, I have a lookup table that looks like: Key,value cat1,val1 cat2,val2 cat3,val3 this is in a lookup file called keyvalpairs.csv i want to query the look up table to return value when a key is passed in. key is a concat of two field values in a search i want a pseudo query that looks something like, sourcetype = * | eval keyfield = field1."#'.field2 | lookup keyvalpairs.csv [where Key = **keyfield] OUTPUT value | so that the concat of field1 and field2 from the events is looked into the CSV and the corresponding value is printed.. is this doable? ... View more

Dear Splunkers. I have a form, where I am loading a drop down, using a lookup file, that searches the top products. I am using. ><![CDATA[|inputlookup top-products.csv]]> The top-products.csv is a result of outputting the search results of the top products. <!-- index = "ssh" | dedup product | table product | outputlookup products-table.csv called as Search-Product--> I then use one of the products selected in the drop down for creating a search string. All works fine. I now need to make sure I always get the correct and updated set of products in the drop down. This probably requires me to run the search " Search-Product" above, regularly like every day, so that I can get the updated results every day.. Is there a way to schedule a search like : index = "ssh" | dedup product | table product | outputlookup products-table.csv on a daily basis or hourly basis? Dak ... View more

Hi All, I have created a lookup table of all the users by piping the search results to output lookup called users.csv. I would need to now read the csv and populate a drop down… I looked up the resources, and nothing seems to be really working… I saw the look up files using the manager and I can indeed see the loop up file there. So my Questions are : 1) Is there a way to see the lookup file that the output lookup created? I mean see the contents of the file? 2) How do I use it to populate the drop down. This file contains only user information and nothing else. 3) is there some other alternate way of doing the same? ... View more

HI All, I am new to SPlunk. My colleague who is very experienced in this, had this in his code.. eval runtime="$run.value$" I searched for the $run.value$ in the code and I couldn't find any. If anyone would please point me to where I can search for this , It will be of great relief. I am guessing this is some env variable, but I am not sure. Thanks in advance… dak ... View more