Love the code but  it seemed to only do one value in the lookup. What if that event (comparing host in table to event) has 2 fields that don't have null values that need compared to the 2 in the lookup table.  Like in your example they all had the same columns, 3 fields were in the table and the event had 4 different fields. But I have something to start playing with. I will continue to play with this while onboarding other stuff. Look forward to hearing from you again. ... View more

At this location, We handle setting up ITSI and not SA for teams for monitoring. They work with us as we need them. I am in ITSI creating alerts with correlation searches our correlation searches have about 20 lines of required fields that show in the alerts after the calculations. All I need to know is determine if the fields for the event meets or exceeds that percent criteria, if it does it'll generate a of low or high based on what they put in the lookup for the severity.  I could do a case statement in the code but I am trying not to hard code. If I put it into the lookup, if the customer changes their mind on the percents later or they want it to be a low alert instead of critical, they can modify the table without the code being touched.  If you do a custom KPI, I haven't been able to allow the required fields that have to be in the alert for the monitoring group. Here, once the code for that index goes live then it is considered production. Which means, one small change of code requires going thru the testing process between us, the team and the monitoring group who watches the alerts.  It's a whole ordeal.   SO, If I can create a table where the team can say a field and the percent  then it is easier.  Each event in the log the customer is creating has multiple fields to check. The only thing I care about is the host, the field value and the severity.  I am trying to avoid hard coding. If I can't come up with a way to use the lookups, I will do it.  I know that this is NOT what people normally do, but sometimes you have to think outside the box to make life easier. Teams don't know what they want and constantly change their minds. When we are working to onboard new indexes in the building for infrastructure and applications...our team of 4 doesn't have time to do a lot of changes when someone changes their minds. ... View more

I forgot to say when I was doing the spl, I did the mvexpand on the field column so I can just look at each field individually for that line in the log. Then I can alert only on something that is bad. But having the host and the value to compare was where I have issues.   ... View more

Sorry it took so long to get back.  The second Option is starting to get where I need to be. I appreciate the code. How do I keep the host from the original log and have the second column in that has the value I want to compare the columns too.  I am using ITSI but I Originally I thought if I were looking at the event in this custom log using things we all know. LOG: host                    CPU     MeM          UsePct       Swapused  Apple1               5            3                  2                      7 Apple2               4             1                12                     9 Apple3               1              2                4                      8         Lookup host     fieldName     Comparefield *              CPU                   7 *             MEM                   4 *             Swapused        2   Code I thought I could do the foreach line in the log If (<field> Log<=<fieldName>Lookup, "OK", <fieldName>"Error")       ... View more

the mvjoin line was only one way I tried to add all the host together to get it to look like (host1,host2,host3) are not coming in on the description. I am having difficult getting it to be side by side any of the results separated by a comma. that is why I am on here. I have looked thru so much documentation and cannot get my results for the hosts to go into one event that looks like (host1, host2, host3).  You stated to use a foreach command. I am not quite sure how that would look to get it to put the host in one event side by side. ... View more

it's not working as I expect it. I had already knew how to do the description. To simplify, I creating a script for whether it is up or down. If there are no failed alerts, then it is up. I am creating an event for up or down. If their down, I need to add the list of down host to the description. I can't use my stuff but this was enough to give a better understanding. index=myindex message=" failed*" | table host | dedup host | append [| makeresults annotate=true | eval host="Dummy" | table host] |eventstats count | eval status = if(count<2,"UP","DOWN") | eval severity = if(status="DOWN","Critical","Normal") | eval multiplehost=mvjoin(host, ", ") | eval msg=if(severity="Critical","Host Have Failed", "Host are Successful") | eval description=if(severity="Critical",multiplehost,"").msg I have tried different commands to join it and placed it in various places. I can't seem to get it to add them together into (host1,host2,host3) in a description.  ... View more

I know this is an old post. You probably already figured this out. Since there are new people who look at these feeds, I figured I would answer. At this point there is no way to disable a single KPI. You can put the whole service in maintenance to stop the KPI's however, it will stop all of them on that service. Any other changes you would do to stop it would mess with the configuration. My suggestion is that if you feel like there should be an enhancement to the maintenance area that allows individual KPI's to be disabled, then submit the enhancement for a vote. Have all your friends and coworkers vote on it. ... View more

There is no way to automatically shut off the correlation searches based on time. It is a manual process. You can only put the services and entities into maintenance.  https://docs.splunk.com/Documentation/ITSI/4.2.1/Configure/MaintenanceWindows Even though this is an old post, I figured I would answer it because there are a lot of new people coming into the application.   Also, If this is something you feel needs to be a feature of the maintenance process, then put in an enhancement. It is voted on, so get all your friends and coworkers to vote.  ... View more

We are having the same issue.  We have a nagios correlation search for multiple teams. Each team have about 20+ services. There are Parent services but I was told the parent service won't include the children. So how do you put the services on the correlation search. That's over 100 services... I saw where you talked about doing the NEAP. What do you need to add to the correlation search to get the in_maintenance or this said in_mm field to show as a field so you can have it available to use in the NEAP.   Thanks ... View more