Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I extract a field using "lookup" and a .csv file that doesn't pair to an event?

mdennisAPFCU
Engager
‎06-24-2015 11:30 AM

I'm trying to match event data with preset limits recorded in a .csv file.

My search looks for a host and its percentage usage of disk space. I want to pair it with an arbitrarily set maximum % used that varies by server.
e.g. Host BUMBLEBEE can have 95% disk usage, but ITCHY can only have 90%.

How do I get lookup to pair the maximum usage value from the .csv file to the event data that shows the % disk space used?

This is my search:

index=perfmon source="perfmon:logicaldisk" instance!=_Total instance!=HarddiskVolume1 counter="% Free Space"
|eval "pct_used"=round(100-Value,2)|eval mount=instance
 |eval uniq=host."_".mount|dedup uniq
| stats last("pct_used") AS pct_used by host,mount |lookup disk_thresholds host,mount 
| eval crit_threshold=coalesce(crit_threshold,70) 

| where pct_used > crit_threshold`
0 Karma
Reply

woodcock
Esteemed Legend
‎07-17-2015 10:26 PM

The answer from @lguinn is incorrect; your lookup should work fine but there were a few tweaks that should make your stuff work (better), PROVIDED your lookup table has a field called exactly crit_threshold (it might actually be, for example, crit_threshhold); try this:

index=perfmon source="perfmon:logicaldisk" instance!=_Total instance!=HarddiskVolume1 counter="% Free Space" | eval pct_used=round(100-Value,2) | stats last(pct_used) AS pct_used BY host instance | lookup disk_thresholds host mount AS instance | eval crit_threshold=coalesce(crit_threshold,70) | where pct_used > crit_threshold
0 Karma
Reply

lguinn2
Legend
‎06-24-2015 01:14 PM

The logic of your search is fine. A lookup does not have to match an "event" per se, it matches against a field.

The syntax of your lookup command is wrong. It should be

| lookup disk_thresholds host mount OUTPUT crit_threshold

Assuming that you have uploaded a CSV file and setup a lookup named disk_thresholds with the appropriate fields.

Here is a step by step guide to setting up a lookup.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...