https://community.splunk.com/t5/Splunk-Search/Find-missing-hosts-after-referencing-a-lookup-file/m-p/634066#M220218 <P>You're looking for hosts not in the lookup file so use the <FONT face="courier new,courier">NOT</FONT> keyword in the search.</P><LI-CODE lang="markup">| search NOT [ |inputlookup my_host_list |table host ip_address ] |dedup host |table host ip_count ip_address repot_count repot</LI-CODE><P>&nbsp;</P> Fri, 10 Mar 2023 15:08:42 GMT richgalloway 2023-03-10T15:08:42Z https://community.splunk.com/t5/Splunk-Search/Find-missing-hosts-after-referencing-a-lookup-file/m-p/634058#M220216 <P>Hello I have the following search which produces&nbsp; statistics(746) in Splunk:<BR /><BR /></P><P>&nbsp;</P><LI-CODE lang="markup">index=my_index sourcetype=my_st id=100 host!=10.* earliest=-1d@d | stats values(repot) as repot dc(repot) as repost_count values(ip) as ip_address dc(ip) as ip_count by host |table host ip_count ip_address repot_count repot</LI-CODE><P>&nbsp;</P><P>&nbsp;&nbsp;<BR />I am then using a lookup file to filter out unwanted hosts from the above search (which produces statitics(676) in Splunk.<BR /><BR /></P><P>&nbsp;</P><LI-CODE lang="markup">| search [ |inputlookup my_host_list |table host ip_address ] |dedup host |table host ip_count ip_address repot_count repot</LI-CODE><P>&nbsp;</P><P><BR />How would I determine the host names of the 70 missing hosts from the my_host_list lookup?</P> Fri, 10 Mar 2023 14:13:10 GMT https://community.splunk.com/t5/Splunk-Search/Find-missing-hosts-after-referencing-a-lookup-file/m-p/634058#M220216 jason_hotchkiss 2023-03-10T14:13:10Z https://community.splunk.com/t5/Splunk-Search/Find-missing-hosts-after-referencing-a-lookup-file/m-p/634066#M220218 <P>You're looking for hosts not in the lookup file so use the <FONT face="courier new,courier">NOT</FONT> keyword in the search.</P><LI-CODE lang="markup">| search NOT [ |inputlookup my_host_list |table host ip_address ] |dedup host |table host ip_count ip_address repot_count repot</LI-CODE><P>&nbsp;</P> Fri, 10 Mar 2023 15:08:42 GMT https://community.splunk.com/t5/Splunk-Search/Find-missing-hosts-after-referencing-a-lookup-file/m-p/634066#M220218 richgalloway 2023-03-10T15:08:42Z https://community.splunk.com/t5/Splunk-Search/Find-missing-hosts-after-referencing-a-lookup-file/m-p/634074#M220219 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;- thank you.&nbsp; I think I have been staring at this screen too long....</P> Fri, 10 Mar 2023 15:41:04 GMT https://community.splunk.com/t5/Splunk-Search/Find-missing-hosts-after-referencing-a-lookup-file/m-p/634074#M220219 jason_hotchkiss 2023-03-10T15:41:04Z https://community.splunk.com/t5/Splunk-Search/Find-missing-hosts-after-referencing-a-lookup-file/m-p/634077#M220220 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/226579">@jason_hotchkiss</a>,</P><P>you could run something like this:</P><LI-CODE lang="markup">index=my_index sourcetype=my_st id=100 host!=10.* earliest=-1d@d | stats values(repot) as repot dc(repot) as repost_count values(ip) as ip_address dc(ip) as ip_count count BY host | append [ |inputlookup my_host_list | eval count=0 | fields host ip_address count ] | stats values(repot) as repot dc(repot) as repost_count values(ip) as ip_address dc(ip) as ip_count sum(count) As total BY host | eval status=if(total=0,"missing","present" | table host ip_count ip_address repot_count repot status</LI-CODE><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Fri, 10 Mar 2023 16:04:05 GMT https://community.splunk.com/t5/Splunk-Search/Find-missing-hosts-after-referencing-a-lookup-file/m-p/634077#M220220 gcusello 2023-03-10T16:04:05Z