I'm trying to match event data with preset limits recorded in a .csv file.
My search looks for a host and its percentage usage of disk space. I want to pair it with an arbitrarily set maximum % used that varies by server.
e.g. Host BUMBLEBEE can have 95% disk usage, but ITCHY can only have 90%.
How do I get lookup to pair the maximum usage value from the .csv file to the event data that shows the % disk space used?
This is my search:
index=perfmon source="perfmon:logicaldisk" instance!=_Total instance!=HarddiskVolume1 counter="% Free Space"
|eval "pct_used"=round(100-Value,2)|eval mount=instance
|eval uniq=host."_".mount|dedup uniq
| stats last("pct_used") AS pct_used by host,mount |lookup disk_thresholds host,mount
| eval crit_threshold=coalesce(crit_threshold,70)
| where pct_used > crit_threshold`
... View more