https://community.splunk.com/t5/Splunk-Search/Question-about-lookups/m-p/51230#M12357 <P>Try this</P> <PRE><CODE>| inputlookup myserverlookup | join type=outer host [ search index=_internal sourcetype=splunkd source=*metrics* "group=per_host_thruput" earliest=-24h | stats sum(ev) as events by series | fields - host | rename series as host ] | join type=outer host [ | metadata type=hosts index=* | fields host lastTime ] | fieldformat lastTime = strftime(lastTime,"%x %X") | fieldformat events = tostring(events,"commas") | sort host | fields host events lastTime </CODE></PRE> <P>This assumes that your lookup is called <CODE>myserverlookup</CODE> and that the field name in the associated csv is <CODE>host</CODE>. </P> <P>This search tries to do things efficiently - instead of looking at all the indexes and counting up all the events - which would take a long time - it uses Splunk's internal metrics to count the events and the last time an event arrived from each host.</P> Sun, 02 Dec 2012 20:32:53 GMT lguinn2 2012-12-02T20:32:53Z https://community.splunk.com/t5/Splunk-Search/Question-about-lookups/m-p/51229#M12356 <P>Hi,</P> <P>hopefully someone can give me an advise.</P> <P>On the one hand I am having a lookup file which contains only simple server names, for instance</P> <PRE><CODE>Server A Server B Server C </CODE></PRE> <P>From some of them I am having logs, from some of them not. The goal is to create a table which contains all my servers in the lookup file. And then I want to have a another field which contains informations about how often I've got logs from them servers. </P> <PRE><CODE>Server A 116 Events Server B 690 Events Server C 0 Events </CODE></PRE> <P>How can I realise this? I only want to see servers from my lookup file, and I also want to see if the server sends zero events. </P> <P>Thank you very much</P> <P>Regards</P> Sun, 02 Dec 2012 15:54:17 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-lookups/m-p/51229#M12356 nebel 2012-12-02T15:54:17Z https://community.splunk.com/t5/Splunk-Search/Question-about-lookups/m-p/51230#M12357 <P>Try this</P> <PRE><CODE>| inputlookup myserverlookup | join type=outer host [ search index=_internal sourcetype=splunkd source=*metrics* "group=per_host_thruput" earliest=-24h | stats sum(ev) as events by series | fields - host | rename series as host ] | join type=outer host [ | metadata type=hosts index=* | fields host lastTime ] | fieldformat lastTime = strftime(lastTime,"%x %X") | fieldformat events = tostring(events,"commas") | sort host | fields host events lastTime </CODE></PRE> <P>This assumes that your lookup is called <CODE>myserverlookup</CODE> and that the field name in the associated csv is <CODE>host</CODE>. </P> <P>This search tries to do things efficiently - instead of looking at all the indexes and counting up all the events - which would take a long time - it uses Splunk's internal metrics to count the events and the last time an event arrived from each host.</P> Sun, 02 Dec 2012 20:32:53 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-lookups/m-p/51230#M12357 lguinn2 2012-12-02T20:32:53Z