- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Refining the search through lookup
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Refining the search through lookup
Hi,
Below is the search I am running on a set of servers in the lookup file , I don't want to run the search on all the hosts resulting from my main search that's why I am using the sub search (using inputlookup)
index=cohl host=mdc* [ | inputlookup COHL_Sourcetype | eval count=0 | stats count by sourcetype host] | where count==0 | table sourcetype host
But when I run the search I see the error :
Regex: invalid UTF-8 string
Can the experts let me know how to get rid of this error?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What does this do:
| inputlookup COHL_Sourcetype
Does the above give you the error, too? If so, you definitely need to clean the file.
Also, the search definitely is broken even beyond this error. At a minimum, this | stats count by sourcetype host should be stats count by sourcetype host | table sourcetype host or maybe stats count by sourcetype host | table sourcetype or maybe stats count by sourcetype host | table host.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk expects the lookup files to be in the UTF-8 character set, with normal line endings (Linux or Windows).
Here are the specific requirements from the Configure CSV lookups section of the Knowledge Manager manual. The file must also be in proper CSV format.
Many text editors can find and "zap" weird characters and clean up the line endings in a file. I think Notepad++ may do this, as will BBEdit and others.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you verified there are no weird characters in your inputlookup table?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No I don't see anything weird in the lookup file. Any way I can remove those characters if any?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you only want to run your search for host,sourcetype combination in subsearch where the value of field count in the subsearch is greater than 0? If yes then, you should include the where clause inside subsearch. Also, add a table command at the end of subsearch to only return the fields that you want to pass (and which are available in ) in base search.
index=cohl [ | inputlookup COHL_Sourcetype | eval count=0 | stats count by sourcetype host | where count=0 | table sourcetype host]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried your query but it doesn't work , to test it I placed 'where count >=0' , but it again gave me that error .
index=cohl host=mdc* [ | inputlookup COHL_Sourcetype | eval count=0 | stats count by sourcetype host | where count ==0 | table sourcetype host]
The above query doesn't return anything.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index=cohl [ | inputlookup COHL_Sourcetype | stats count by sourcetype host | where count=0 | table sourcetype host | format ]
OR
index=cohl [ | inputlookup COHL_Sourcetype | stats count by sourcetype host | where count=0 | table sourcetype host | format "" "" "" "" "" ""]
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
