![]() This dashboard will give it to you and do it fast! As a bonus we will provide the dashboard code at the end of the article.įinding detailed index information quickly Visually what the data ingest looks like by total event count and by index.How that equates to events per second (EPS).How many events ingested over a user-defined time period.This article focuses on understanding your Splunk environment at a high-level. Spelunking your Splunk – Part IV (User Metrics) - A dashboard to provide insight into user activity.Spelunking your Splunk – Part III (License Usage) - A dashboard to understand license usage over time.Spelunking your Splunk – Part II (Disk Usage) - A dashboard that can be used to monitor data distribution across multiple indexers.Spelunking your Splunk Part I (Exploring Your Data) - A clever dashboard that can be used to quickly understand the indexes, sources, sourcetypes, and hosts in any Splunk environment.Here is a quick recap of the previous articles: Would you rather maintain a lookup table with a small search or the search below? By looping thru the lookup table, we avoid appending and sub-searches.Welcome to the fifth article of the Spelunking your Splunk series, all designed to help you understand your Splunk environment at a quick glance. index=_internal sourcetype=splunkd component=WatchedFile | stats earliest(_time) as firstime latest(_time) as lasttime count by component log_level | append Would you rather maintain a lookup table with a small search or the search below? By looping thru the lookup table, we avoid appending and sub-searches. Does X field have Y value? Or does X field have the correct length and numeric output? Sometimes a search with large amounts of appends, ANDs, ORs, NOTs can be cumbersome to maintain. The idea behind this search is to perform validation checks against data in Splunk. The job inspector shows how each search was expanded by the macro.Īll my users have to do now for is add searches to the lookup table with out modifying the search. |inputlookup internalchecks.csv | fields + check | map search="search `internalcheck($check$)`" maxsearches=100 Don't forget about the backticks when calling a macro. The map command is called, which includes the macro and the output from the lookup table is inserted into the required variable. The description field is for the admins to remember what the search is looking for. Only the check field is outputted because there no reason to also pass the description field. Third: Create the search that calls the lookup table and passes the results to the macro with the map command. The search defined in the lookup table will be passed to this macro. The search will just be a name surrounded by $'s and a single argument. Index=_internal sourcetype=splunkd component=TcpOutputProc | stats earliest(_time) as firstime latest(_time) as lasttime count by component log_level, Internal TcpOutPutProc Check Index=_internal sourcetype=splunkd component=WatchedFile | stats earliest(_time) as firstime latest(_time) as lasttime count by component log_level, Internal WatchFile Check In our case we used lookup editor and named the field "check". Here is how we did it.įirst: Create your lookup table with a list of searches to execute. We can successfully add searches to a lookup table and loop thru each search with the map command. The quotes are removed from the lookup returned value when inserted into a macro. We were able to solve this issue by calling a macro. ![]() However, map does not seem to interpret the back-ticks to call the macro.Īny ideas on how to instruct Splunk not to add the quotes?Ī big thanks to my Splunk partner in crime C.F. I tried creating a macro and stored the macro name in the lookup table. 'index=myindex sourcetype=mysourcetype "|stats count by Application"'Īs you can see, the quotes are causing Splunk to not interpret the stats command. If I use a single word with letters or numbers, the quotes are not added. ![]() If there are any spaces or special characters in the lookup table, Splunk automatically adds quotes to the pipeline. The problem is how Splunk passes the value to the map command. Plus I do not want to have to edit the search every time I add or remove a stat command or some other check. I can accomplish this with the append command but I do not want to worry about max results and search timeouts. The idea is to have Splunk loop thru the base search in the map command and then execute each stats command. The storedsearches.csv contains commands such as |stats count by App and |stats count by User. |inputlookup storedsearches.csv | fields + main | map search="search index=myindex sourcetype=mysourcetype $main$" I am trying to store a list of searches in a lookup table and then pass each search to the map command. ![]()
0 Comments
Leave a Reply. |