https://community.splunk.com/t5/Splunk-Search/inputlookup-loops/m-p/363528#M160546 <P>The idea is my hosts will write a status message to a log file that gets picked up by Splunk and put into a shared index with all others servers. I then want to go through a list of servers via an inputlookup to see when the last time they reported their status was. I can get the time diff to work, but I can't find a way to go through all my servers ie like a for loop. Any suggestions?</P> <P>input.csv:<BR /> ServerName,Environment,App<BR /> serverA,Prod,database<BR /> serverB,Dev,webserver</P> <P>base search:<BR /> index="server_health" "pulse_detected" | head 1 | eval tnow = now() | eval timediff = (tnow - _time)| eval timediff = timediff/60/60| convert ctime(tnow) |table _time,tnow,timediff</P> <P>I've tried various versions of this below and just can't wrap my head around how it should work <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>|indexlookup server.csv | table Server [ index="server_health" "pulse_detected" | head 1 | eval tnow = now() | eval timediff = (tnow - _time)| eval timediff = timediff/60/60| convert ctime(tnow) |table _time,tnow,timediff} ]</P> Tue, 29 Sep 2020 14:35:05 GMT synsoc 2020-09-29T14:35:05Z https://community.splunk.com/t5/Splunk-Search/inputlookup-loops/m-p/363528#M160546 <P>The idea is my hosts will write a status message to a log file that gets picked up by Splunk and put into a shared index with all others servers. I then want to go through a list of servers via an inputlookup to see when the last time they reported their status was. I can get the time diff to work, but I can't find a way to go through all my servers ie like a for loop. Any suggestions?</P> <P>input.csv:<BR /> ServerName,Environment,App<BR /> serverA,Prod,database<BR /> serverB,Dev,webserver</P> <P>base search:<BR /> index="server_health" "pulse_detected" | head 1 | eval tnow = now() | eval timediff = (tnow - _time)| eval timediff = timediff/60/60| convert ctime(tnow) |table _time,tnow,timediff</P> <P>I've tried various versions of this below and just can't wrap my head around how it should work <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>|indexlookup server.csv | table Server [ index="server_health" "pulse_detected" | head 1 | eval tnow = now() | eval timediff = (tnow - _time)| eval timediff = timediff/60/60| convert ctime(tnow) |table _time,tnow,timediff} ]</P> Tue, 29 Sep 2020 14:35:05 GMT https://community.splunk.com/t5/Splunk-Search/inputlookup-loops/m-p/363528#M160546 synsoc 2020-09-29T14:35:05Z https://community.splunk.com/t5/Splunk-Search/inputlookup-loops/m-p/363529#M160547 <P>Try like this (assuming your logs have field called <CODE>Server</CODE> which matching the lookup's field <CODE>ServerName</CODE>)</P> <PRE><CODE>index="server_health" "pulse_detected" [| inputlookup server.csv | table ServerName | rename ServerName as Server ] | dedup Server | eval tnow = now() | eval timediff = (tnow - _time)| eval timediff = timediff/60/60| convert ctime(tnow) |table _time,tnow,timediff | append [| inputlookup server.csv | rename ServerName as Server ] | stats values(_time) as _time values(tnow) as tnow values(timediff) as timediff values(Environment) as Environment ,values(App) as App by Server </CODE></PRE> Mon, 26 Jun 2017 17:13:14 GMT https://community.splunk.com/t5/Splunk-Search/inputlookup-loops/m-p/363529#M160547 somesoni2 2017-06-26T17:13:14Z https://community.splunk.com/t5/Splunk-Search/inputlookup-loops/m-p/363530#M160548 <P>Just needed to add <STRONG>,server</STRONG> below and it worked perfectly. Thanks!</P> <PRE><CODE>|table _time,tnow,timediff,server </CODE></PRE> Tue, 27 Jun 2017 19:17:54 GMT https://community.splunk.com/t5/Splunk-Search/inputlookup-loops/m-p/363530#M160548 synsoc 2017-06-27T19:17:54Z