Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Searching through "inputlookups" - syntax error?

minkyuk
Explorer
‎06-29-2015 10:26 AM 
|inputlookup ambp1.csv|fields host,cap| map maxsearches=10000000 search="|cpt_x disk $host$ %cap%|eval UsedPct=(max(used_mb)/(max(used_mb)+min(avail_mb))*100)"

So ambp1.csv is a list with 2 columns : host, cap

And I'm trying to run every row of this csv file and put it through a Python script cpt_x disk that takes

<host name> "cap" | ... format to output ONE result from ONE row.

I am stuck big time here.
I would appreciate any input from you guys if you catch anything from the line above!

Jack

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-29-2015 10:57 AM

Your percent characters % should be dollar characters $ like this and you cannot use max outside of stats or similar (streamed set of events). I am guessing that something like this is what you are trying to do:

| inputlookup ambp1.csv|fields host,cap| map maxsearches=10000000 search="|cpt_x disk $host$ $cap$" |stats max(used_mb) max(used_mb) min(avail_mb) | eval UsedPct=(max(used_mb)/(max(used_mb)+min(avail_mb))*100)

You are definitely going to hate the performance of this kazillion individual searches.

Why don't you just make your python script a macro and stream it directly like this:

| inputlookup ambp1.csv | `cpt_x("disk", host, cap)`| stats max(used_mb) max(used_mb) min(avail_mb) | eval UsedPct=(max(used_mb)/(max(used_mb)+min(avail_mb))*100)

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-29-2015 10:57 AM

Your percent characters % should be dollar characters $ like this and you cannot use max outside of stats or similar (streamed set of events). I am guessing that something like this is what you are trying to do:

| inputlookup ambp1.csv|fields host,cap| map maxsearches=10000000 search="|cpt_x disk $host$ $cap$" |stats max(used_mb) max(used_mb) min(avail_mb) | eval UsedPct=(max(used_mb)/(max(used_mb)+min(avail_mb))*100)

You are definitely going to hate the performance of this kazillion individual searches.

Why don't you just make your python script a macro and stream it directly like this:

| inputlookup ambp1.csv | `cpt_x("disk", host, cap)`| stats max(used_mb) max(used_mb) min(avail_mb) | eval UsedPct=(max(used_mb)/(max(used_mb)+min(avail_mb))*100)
Reply
Solved! Jump to solution

minkyuk
Explorer
‎06-29-2015 11:54 AM

Hi, thanks...
Would I need a before eval?

0 Karma
Reply
Solved! Jump to solution

minkyuk
Explorer
‎06-29-2015 12:01 PM

Would I need a bucket _time span =1 h I mean?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-29-2015 12:03 PM

I am unsure what cpt_x does and what is your end goal so I cannot really answer. As I said, I was making some educated guesses.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-29-2015 10:30 AM

I see $host$ and %cap% - is that supposed to be that way?

Also, this will be horribly inefficient, launching 10000000 searches just to run some python script. Instead, make the python script deal with more than one CSV row on input at a time and just call it directly.

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...