https://community.splunk.com/t5/Splunk-Search/Hosts-event-search-by-lookup-table/m-p/562239#M195546 In Linux there are not same kind of event ids as Windows have. In Linux there are several logs like syslog which have several different events from several processes/daemons. Depending of your configuration you could have sourcetypes, tags or other keywords which you can use in our queries.<BR />For further help we must know what and how you are collecting those logs and are you using some TA's for that or are you doing tokenisation by yourself.<BR />r. Ismo Thu, 05 Aug 2021 12:13:46 GMT isoutamo 2021-08-05T12:13:46Z https://community.splunk.com/t5/Splunk-Search/Hosts-event-search-by-lookup-table/m-p/562203#M195530 <P>Hi all,</P><P>I have created a lookup table and imported it into SPLUNK. It has 2 columns, one called hosts the other called IPs. The columns are populated with the hosts I want to query. I'm very new to SPLUNK and would like to create a search that returns errors/events worth investigating from the hosts specified in the lookup file. I'll display the results on a dashboard and will be checking this daily for preventative maintenance on my system. I'm just after events worth looking in to and need to filter out irrelevant events to save time. Can anyone help? Thanks in advance.</P> Thu, 05 Aug 2021 08:18:18 GMT https://community.splunk.com/t5/Splunk-Search/Hosts-event-search-by-lookup-table/m-p/562203#M195530 ned692000 2021-08-05T08:18:18Z https://community.splunk.com/t5/Splunk-Search/Hosts-event-search-by-lookup-table/m-p/562206#M195533 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237155">@ned692000</a>,<BR /><BR />You can filter index events using <STRONG>inputlookup</STRONG> in a sub-search like below. This will return the events for<SPAN>&nbsp;the hosts specified in the lookup file</SPAN></P><LI-CODE lang="markup">index=indexname sourcetype=sourcetypename [| inputlookup lookup_table | fields hosts | rename hosts as host | format]</LI-CODE><P>&nbsp;</P><P>If this reply helps you, a like would be appreciated.</P> Thu, 05 Aug 2021 08:31:20 GMT https://community.splunk.com/t5/Splunk-Search/Hosts-event-search-by-lookup-table/m-p/562206#M195533 manjunathmeti 2021-08-05T08:31:20Z https://community.splunk.com/t5/Splunk-Search/Hosts-event-search-by-lookup-table/m-p/562235#M195544 <P>Thanks for your reply, that worked and its very useful. I have a further question. Are there any keywords/ event ID's that I can use to filter out events for Linux machines? I have used event ID's for windows but not sure what to use for Linux. Thanks again</P> Thu, 05 Aug 2021 11:58:21 GMT https://community.splunk.com/t5/Splunk-Search/Hosts-event-search-by-lookup-table/m-p/562235#M195544 ned692000 2021-08-05T11:58:21Z https://community.splunk.com/t5/Splunk-Search/Hosts-event-search-by-lookup-table/m-p/562239#M195546 In Linux there are not same kind of event ids as Windows have. In Linux there are several logs like syslog which have several different events from several processes/daemons. Depending of your configuration you could have sourcetypes, tags or other keywords which you can use in our queries.<BR />For further help we must know what and how you are collecting those logs and are you using some TA's for that or are you doing tokenisation by yourself.<BR />r. Ismo Thu, 05 Aug 2021 12:13:46 GMT https://community.splunk.com/t5/Splunk-Search/Hosts-event-search-by-lookup-table/m-p/562239#M195546 isoutamo 2021-08-05T12:13:46Z https://community.splunk.com/t5/Splunk-Search/Hosts-event-search-by-lookup-table/m-p/562251#M195555 <P>Hi,</P><P>Thanks for the reply, it's taking everything from var/messages via a forwarder. Is there anything I can use as a filter to reduce UN-useful messages. i.e. things I need to keep an eye on, rather than just normal system events</P> Thu, 05 Aug 2021 12:50:18 GMT https://community.splunk.com/t5/Splunk-Search/Hosts-event-search-by-lookup-table/m-p/562251#M195555 ned692000 2021-08-05T12:50:18Z