Splunk Search

How to combine my searches to be able to use lookup in an eval statement?

arichardson
Engager

I'm having trouble with a search and I'm banging my head against the wall. I feel like I'm on the right track but just not there yet.

So, long story short: I'm charting Windows server performance metrics. I'm working on Memory. The events I'm using for this are collected via Perfmon. In this case, I want to chart roughly how much memory a server is using. To do this I can get the "Available Mbytes" perfmon counter and subtract from the server's installed physical RAM. Perfmon can't tell me how much physical RAM the server has, so I used Powershell to create a lookup table that has all of our servers and their configured RAM in them, because this isn't going to change very often. That way I can take configured RAM minus Available Mbytes = Used RAM.

My first search just charts the "Available MBytes" counter, nothing fancy:

host=ServerName001 sourcetype="Perfmon:Memory" counter="Available MBytes" | eval GBs=(Value/1024)  | timechart  bins=500  avg(GBs) by counter

My lookup table (a CSV) has two columns: Server and RAM. Server has the server name in it, RAM is just the number in GB of RAM. So let's assume ServerName001 has 8GB of RAM. I can get the 8 back from the lookup table a few ways.

| inputlookup InstalledRAMLookup.csv | search Server=ServerName001 | fields RAM

I can also run an eval against the RAM after I grab it out of the lookup table and get the correct result for DivTest, like so:

| inputlookup InstalledRAMLookup.csv where (Server="ServerName001") | eval DivTest=(1/RAM)

What I can't seem to do is combine these searches together in a way that I can get the value of RAM and use it in an eval statement to get a simple piece of data per event: RAM - Available MBytes = Usage. I think the answer may be in using eval TotalGBs=[ lookup statement here] but Splunk says you can't put a boolean in an eval function.

Any help on this would be greatly appreciated. Thank you.

0 Karma

sundareshr
Legend

You need to use lookup not inputlookup. This should add a field called RAM with values for the matching host. You can now use this for your calculation (GB/RAM)

host=ServerName001 sourcetype="Perfmon:Memory" counter="Available MBytes" | lookup InstalledRAMLookup.csv Server AS host OUTPUT RAM | eval GBs=(Value/1024)  | ...
0 Karma

arichardson
Engager

My lookup doesn't appear to be working. If I just do a regular | inputlookup InstalledRAMLookup the entire table returns which is good. If I use host=ServerName001 sourcetype="Perfmon:Memory" counter="Available MBytes" | lookup InstalledRAMLookup Server OUTPUT RAM | table host,RAM,Value to try and take a look at all the events to make sure RAM is getting populated, I get a NULL value in return. I know I've defined the lookup via the Splunk web interface and set permissions to be open to everyone. I'm not sure what I'm missing here, I will keep looking.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...