- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can a eval field name used as string in SPL search...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i have a lookup hostlist.csv which have list of host names and other metrics related to it.
i need to filter out each host and their corresponding metrics into separate lookup file.
for ex:
|inputlookup hostlist.csv
|eval hostname="abc"
|table $hostname$,metrics
|outputlookup $hostname$.csv
so if i manually change the hostname's value and run the search query, it should save the metrics of that host in a lookup file with above mentioned naming convention. Is it possible in Splunk?
thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @gowtham495,
Check out the map command:
The map command is a looping operator that runs a search repeatedly for each input event or result. You can run the map command on a saved search or an ad hoc search.
So try something like this:
| inputlookup hostlist.csv
| dedup hostname
| map search="| inputlookup hostlist.csv | search hostname=$hostname$ | table hostname,metrics | outputlookup $hostname$.csv"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gowtham495 if you have a list of hosts and corresponding metrics, I am unsure why you need to separate them in different csvs? Have you explored KV Store for maintaining the lookup? How many hosts do you have? What kind of metrics do you have per host? Also how frequently your hosts changes and what is the expected growth of hosts?
Also have you tried the following search which returns only one row from master lookup based on hostname?
| inputlookup hostlist.csv where hostname="abc"
| table hostname, metrics
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for your response @niketnilay. Actually i have simplified the problem for easy understanding. real problem is like we have 50 lines of query, we need to create separate csv's for each host (which has a child query take host name and do some more process...that's too technical).
currently we are manually updating host names for 50 occurrences in the query (and repeat this process for 20 other servers ), instead of that we need a user defined token, so that we change host name only once and other places where the host name appear should be taken care of.
hope i made it clear. please tell if some other info is needed.
thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @gowtham495,
Check out the map command:
The map command is a looping operator that runs a search repeatedly for each input event or result. You can run the map command on a saved search or an ad hoc search.
So try something like this:
| inputlookup hostlist.csv
| dedup hostname
| map search="| inputlookup hostlist.csv | search hostname=$hostname$ | table hostname,metrics | outputlookup $hostname$.csv"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i tweaked this query to suit my requirements. Worked well !
Thanks a lot @whrg
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will need to use the max_searches parameter of map to scale this.
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
