Splunk to take the second queries result(field) into first query for Percentage Memory of Linux host
I am a newbie to SplunK.
I am trying to pull the Memory % of my Linux hosts which belong to a particular group called Database_hosts.
I am able to get the Memory % of a particular host if I provide that explicitly as host="host01.example.com" however, I'm looking to run this query against multiple hosts.
Multiple hosts which belong to Database_hosts group I can extract from the inputlookup cmdb_host.csv in Splunk.
Now, I can extract the hosts from inputlookup cmdb_host.csv where it contains the hosts in name field but I am clueless how to put my second query into my first query ie sourcetype=top pctMEM=* host="host01.example.com"
Both the queries working independently though.
My first query:
sourcetype=top pctMEM=* host="host01" OR host="host02"
| multikv
| dedup host
| rex field=pctMEM "(?<usage>\d+)"
| where usage> 40
| table host pctMEM
Result on run:
and this is my second query:
| inputlookup cmdb_host.csv
| search support_group="Database_hosts" NOT (fqdn IN("ap*", "aw*",""))
| table name
Result on run:
How I can use my second query output field name into first query's host= field?
Any help will be much appreciated.
EDIT: just tried but no luck:
sourcetype=top pctMEM=* host="[inputlookup cmdb_host.csv where support_group="Database_hosts" | table name]
| multikv
| dedup name
| rex field=pctMEM "(?<usage>\d+)"
| where usage>20
| table name pctMEM
You're very close. If you run the subsearch (the part inside square brackets) by itself and add | format then you'll see what is returned to the main search. It'll look something like ((name=host01) OR (name=host02)). Combining that with the main search produces:
sourcetype=top pctMEM=* host=((name=host01) OR (name=host02))
| multikv
| dedup name
| rex field=pctMEM "(?<usage>\d+)"
| where usage>20
| table name pctMEM
which won't work. It can be fixed by renaming name to host in the subsearch and letting the subsearch create the expression.
sourcetype=top pctMEM=* [|inputlookup cmdb_host.csv where support_group="Database_hosts"
| return 100 host=name]
| multikv
| dedup name
| rex field=pctMEM "(?<usage>\d+)"
| where usage>20
| table name pctMEM
The return command tells Splunk to return up to 100 results and rename name to host. It's equivalent to fields name | rename name as host | format.
- Math.Sin() gives incorrect value
- How to run my python script when the sunOS is start booting
- Express-session: not resetting cookie expiration on each request
- Getting a stack overflow exception when normalizing a vector
- Edit default summary function in R gives error for multiple variables
- What was a For loop? Why isn't it needed in R?
- How to use download button in shiny and save results in various formats (csv, texte, pdf, spss...)?
- Why are there two assignment operators, `<-` and `->` in R?
- lm()$assign: what is it?
- How to get the value of list(...) in R and S functions
- Design matrix for MLM from library(lme4) with fixed and random effects
- how to generate elements not included in my sample
- Create a matrix with gradually changing values without a for loop
- Emacs ESS and S-plus ( S+ ) 8.1 compatability
- How to lag date-index in a time-series in R?
- Nonlinear regression in R / S
- Calling R from S-Plus?