Splunk Enterprise 7.2.0
I have my query:
index="_itrospection" component ="hostwide" | timechart max(data.mem.mem_used) as Current by splunk_server
In the legend I see the splunk_server descriptions based on hostnames.
I created lookup indexers.csv:
indexer,site
hostname1,Site-1
hostname2,Site-2
How can I use lookup to replace splunk_server fields by lookup field site?
Grate, it is working fine.
My mistake was:
index="_introspection" component ="hostwide"
| lookup indexers indexer as splunk_server OUTPUT indexer as splunk_server
| timechart max(data.mem.mem_used) as Current by splunk_server
Grate, it is working fine.
My mistake was:
index="_introspection" component ="hostwide"
| lookup indexers indexer as splunk_server OUTPUT indexer as splunk_server
| timechart max(data.mem.mem_used) as Current by splunk_server
Hi @wieslaww do you have 1 to 1 mapping between host name and Site or not?
If so, create a Lookup Definition for indexers.csv and then change the query as following:
index="_introspection" component ="hostwide"
| lookup indexers indexer as splunk_server OUTPUT site
| timechart max(data.mem.mem_used) as Current by site