Report grouping by EAs

Posts: 181
5316     0

There have been a couple threads asking about using EA's as part of the reporting.   There seems to be some conflicting info in the Admin guide.

This snip says seems to say that I can use all the EA's.  Is that possable?  Do you have a code example?

Extensible Attributes: The reports that supported filtering and grouping by multiple extensible attributes are migrated into new interface with filtering and grouping only by the extensible attribute Site. You must clone the dashboard, add filter inputs and modify the view XML to support additional extensible attributes. For information, see Editing the XML Source Code of a Dashboard on page 1486.

page 1486 is a generic how to edit the souce, not any info on how to pull in all the EA's for a specific data type.


For Members I would like to sort \ group by physical location, and by server function.
For Networks, I would like simular functionality,  physical location, network function to group and sort, as well as pulling in things like an contact email EA we already have and use it for alerting.

These questions have been asked as a secondary comment in a couple different threads, but I can't seem to find a definitive answer anywhere.


Re: Report grouping by EAs

Posts: 97
5317     0



I asked our engineers about this and they indicated that for some reports that show data by members like CPU Utilization and DNS Query Rate by Member, we send all EA attributes including Site (as long as the attribute has value) along with reporting data. For IPAM network reports like IPAMv4 Network Usage Statistics we only send the Site EA.



Re: Report grouping by EAs

Posts: 181
5317     0

I was able to get to all my members EA's by using the "__grouping_by_ea_tag_lookup" lookup.

I am still having problems with EA's that have multiple values for a member.  I'm not sure if that is my splunk parsing of the data in the lookup table or the back end code that generates the "__grouping_by_ea_tag_lookup".  I have not done any trouble shooting yet beyond my first attempt to show the mulitple values in the pull down didn't work.

Now if we can just get that functionality for other record types, I can retire some more home grown reporting tools.   NIOS 8.0??

Re: Report grouping by EAs

Posts: 8
5317     0

This is a generic answer.  


To start with the lookup __grouping_by_ea_tag_lookup is only the EAs applied to host by that that the system means grid members.  A gotcha here is that in some events and indexes host is the reporting member and the actual grid protocol serving member is orig_host. 


1-  Start in the search bar with 


| inputlookup __grouping_by_ea_tag_lookup


This will list your EAs with the object they are associated with.


2- The EA listing is a value pair


{"ea name":"value";....}


3.  Add this to the search


 | spath input=EA path=ReportingSite output=EA_ReportingSite


where path=one of your EAs and output is the name you want it to have.  Make sure you get a column in your output with output name and values in it.  Spaces and other special characters can cause issues.


4. Now you are ready to include this in your search. In your search towards the beginning include this 


| lookup __grouping_by_ea_tag_lookup host | spath input=EA path=ReportingSite output=EA_ReportingSite


Where host is an object that EA ReportingSite is applied to 


This will add to all the events a field EA_ReportingSite with a value that matches the host objects EA value


5. Now you can continue to build your search using EA_ReportingSite as one of the fields


NB: You can omit output and the name will be the EA name. 

Showing results for 
Search instead for 
Did you mean: 

Recommended for You