https://community.splunk.com/t5/Splunk-Search/Search-help/m-p/392994#M114324 <P>In csv better we need to keep host names as below i got results but in more hosts than csv file .</P> <PRE><CODE> host H YY* YES XX* YES </CODE></PRE> Wed, 16 May 2018 16:09:46 GMT splunker969 2018-05-16T16:09:46Z https://community.splunk.com/t5/Splunk-Search/Search-help/m-p/392989#M114319 <P>When Iam trying to run this search its giving me wrong results .Please correct my search. In my csv is having to coumlmns one is host and other H=YES . Thanks </P> <P>| metadata type=hosts index=* <BR /> | join [| inputlookup watchlist1.csv |search H=YES| rename Host as host] <BR /> | stats min(firstTime) as firstTime, max(recentTime) as recentTime, max(lastTime) as lastTime, sum(totalCount) as totalCount by host <BR /> | sort lastTime <BR /> | convert cTime(firstTime) ctime(recentTime) ctime(lastTime)<BR /> | fields host, firstTime, recentTime, lastTime, totalCount </P> Wed, 16 May 2018 15:07:53 GMT https://community.splunk.com/t5/Splunk-Search/Search-help/m-p/392989#M114319 splunker969 2018-05-16T15:07:53Z https://community.splunk.com/t5/Splunk-Search/Search-help/m-p/392990#M114320 <P>Are you trying to filter the results of the <CODE>metadata</CODE> query to only show hosts from your lookup file that contain <CODE>YES</CODE> in the <CODE>H</CODE> field? If so, give this a shot:</P> <PRE><CODE>| metadata type=hosts index=* | search [| inputlookup watchlist1.csv |search H="YES" | rename Host as host | fields host ] | stats min(firstTime) as firstTime, max(recentTime) as recentTime, max(lastTime) as lastTime, sum(totalCount) as totalCount by host | sort lastTime | convert cTime(firstTime) ctime(recentTime) ctime(lastTime) | fields host, firstTime, recentTime, lastTime, totalCount </CODE></PRE> Wed, 16 May 2018 15:23:27 GMT https://community.splunk.com/t5/Splunk-Search/Search-help/m-p/392990#M114320 elliotproebstel 2018-05-16T15:23:27Z https://community.splunk.com/t5/Splunk-Search/Search-help/m-p/392991#M114321 <P>Hi ellitproebstel ,</P> <P>Thanks :)Search is working can you help me to find the fully qualified name for host when i search its giving me host name in short cut .</P> Wed, 16 May 2018 15:35:56 GMT https://community.splunk.com/t5/Splunk-Search/Search-help/m-p/392991#M114321 splunker969 2018-05-16T15:35:56Z https://community.splunk.com/t5/Splunk-Search/Search-help/m-p/392992#M114322 <P>Do you have the fully qualified name somewhere in your logs or in a lookup? </P> Wed, 16 May 2018 15:50:02 GMT https://community.splunk.com/t5/Splunk-Search/Search-help/m-p/392992#M114322 elliotproebstel 2018-05-16T15:50:02Z https://community.splunk.com/t5/Splunk-Search/Search-help/m-p/392993#M114323 <P>logs are having names</P> Wed, 16 May 2018 15:58:51 GMT https://community.splunk.com/t5/Splunk-Search/Search-help/m-p/392993#M114323 splunker969 2018-05-16T15:58:51Z https://community.splunk.com/t5/Splunk-Search/Search-help/m-p/392994#M114324 <P>In csv better we need to keep host names as below i got results but in more hosts than csv file .</P> <PRE><CODE> host H YY* YES XX* YES </CODE></PRE> Wed, 16 May 2018 16:09:46 GMT https://community.splunk.com/t5/Splunk-Search/Search-help/m-p/392994#M114324 splunker969 2018-05-16T16:09:46Z https://community.splunk.com/t5/Splunk-Search/Search-help/m-p/392995#M114325 <P>Hi Mate,</P> <P>As we are getting the duplicate results from the csv table and the results are coming with both normal host name and hostname with FQDNS. How do we resolve this and please suggest.</P> <P>Example:<BR /> host<BR /> host.com</P> <P>Thanks.</P> Wed, 16 May 2018 17:02:35 GMT https://community.splunk.com/t5/Splunk-Search/Search-help/m-p/392995#M114325 splunker969 2018-05-16T17:02:35Z