Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help to adapt a search with a new datasource

jip31
Motivator
‎10-22-2020 02:35 AM

Hello

 

Until now, I was using this search :

 

[| inputlookup host.csv 
    | table host] `fiability` 
| fields host Logfile SourceName ProductName 
| eval host=upper(host) 
| lookup fo_all HOSTNAME as host output SITE 
| search Logfile=Application AND (SourceName="Application Hang" OR SourceName="Application Error") 
| search (ProductName=*)
| stats count(eval(SourceName="Application Error")) as "Number of Errors", count(eval(SourceName="Application Hang")) as "Number of Hang", count as "Number of crashes" by ProductName  
| sort -"Number of crashes" 
| head 10

 

 

The host.csv lookup was updated manually in order to add new hostname

The lookup host.csv is now replace by a KV store called "cmdb_fo_all"

 

| inputlookup cmdb_fo_all where TYPE="Ind"

 

With this KV store, it's possible to filter automatically the type of hostname I need

Please also note that the field host is called "HOSTNAME" in this KV

Now I need to replace the lookup by the KV store in my search

Could you help me please?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-22-2020 06:24 AM

You appear to have what you need.  The only thing missing is a rename of the new field to match that used by the rest of the query.

[| inputlookup cmdb_fo_all where TYPE="Ind" | rename HOSTNAME as host
    | table host] `fiability` 
| fields host Logfile SourceName ProductName 
| eval host=upper(host) 
| lookup fo_all HOSTNAME as host output SITE 
| search Logfile=Application AND (SourceName="Application Hang" OR SourceName="Application Error") 
| search (ProductName=*)
| stats count(eval(SourceName="Application Error")) as "Number of Errors", count(eval(SourceName="Application Hang")) as "Number of Hang", count as "Number of crashes" by ProductName  
| sort -"Number of crashes" 
| head 10

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-22-2020 06:24 AM

You appear to have what you need.  The only thing missing is a rename of the new field to match that used by the rest of the query.

[| inputlookup cmdb_fo_all where TYPE="Ind" | rename HOSTNAME as host
    | table host] `fiability` 
| fields host Logfile SourceName ProductName 
| eval host=upper(host) 
| lookup fo_all HOSTNAME as host output SITE 
| search Logfile=Application AND (SourceName="Application Hang" OR SourceName="Application Error") 
| search (ProductName=*)
| stats count(eval(SourceName="Application Error")) as "Number of Errors", count(eval(SourceName="Application Hang")) as "Number of Hang", count as "Number of crashes" by ProductName  
| sort -"Number of crashes" 
| head 10

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎10-22-2020 09:41 PM

thanks richgalloway

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...