https://community.splunk.com/t5/Splunk-Search/Identify-missing-servers/m-p/671284#M230063 <P>This is the point where you show the search(es) you ran, their results, and tell how those results miss expectations.&nbsp; Does the lookup file contain data that can be used to search the index?&nbsp; If not, can it be modified or can the search modify a lookup field into something that's in the index?</P> Fri, 08 Dec 2023 17:52:06 GMT richgalloway 2023-12-08T17:52:06Z https://community.splunk.com/t5/Splunk-Search/Identify-missing-servers/m-p/671266#M230053 <P><SPAN>Hi,&nbsp;</SPAN></P><P><SPAN>I have two datasets for example –</SPAN></P><P><SPAN>1.Index=abc host=def_inven, consider as Dataset A (inventory with 100 servers) and</SPAN></P><P><SPAN>2.lookup = something, consider as Dataset B (monitored in Splunk with 80 servers).<BR /></SPAN></P><P><SPAN>How can I identify the 20 servers missing ?&nbsp;</SPAN></P> Fri, 08 Dec 2023 14:49:41 GMT https://community.splunk.com/t5/Splunk-Search/Identify-missing-servers/m-p/671266#M230053 Muthu_Vinith 2023-12-08T14:49:41Z https://community.splunk.com/t5/Splunk-Search/Identify-missing-servers/m-p/671268#M230054 <P>Use a subsearch to exclude the lookup file from the index results.</P><LI-CODE lang="markup">index=abc host=def_inven NOT [ | inputlookup something | fields &lt;a field from the lookup that identifies a server&gt; | rename &lt;field&gt; as &lt;some field name in Dataset A&gt; ]</LI-CODE> Fri, 08 Dec 2023 14:52:38 GMT https://community.splunk.com/t5/Splunk-Search/Identify-missing-servers/m-p/671268#M230054 richgalloway 2023-12-08T14:52:38Z https://community.splunk.com/t5/Splunk-Search/Identify-missing-servers/m-p/671282#M230062 <P>I tried this method, but unfortunately i couldn't get exact results. It's showing only index data. Is there any different method instead of append can we use join command? Can you suggest different logic&nbsp;<BR /><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</P> Fri, 08 Dec 2023 17:18:12 GMT https://community.splunk.com/t5/Splunk-Search/Identify-missing-servers/m-p/671282#M230062 Muthu_Vinith 2023-12-08T17:18:12Z https://community.splunk.com/t5/Splunk-Search/Identify-missing-servers/m-p/671284#M230063 <P>This is the point where you show the search(es) you ran, their results, and tell how those results miss expectations.&nbsp; Does the lookup file contain data that can be used to search the index?&nbsp; If not, can it be modified or can the search modify a lookup field into something that's in the index?</P> Fri, 08 Dec 2023 17:52:06 GMT https://community.splunk.com/t5/Splunk-Search/Identify-missing-servers/m-p/671284#M230063 richgalloway 2023-12-08T17:52:06Z https://community.splunk.com/t5/Splunk-Search/Identify-missing-servers/m-p/671312#M230068 <P>No, in lookup file there are few servers which are monitored, but also in index &nbsp;some servers which is monitored but I need to find which is not monitored.</P><P>Is it possible to try something like this for example:</P><P>index=abc host=def_inven</P><P>•if it is in inventory flag it&nbsp;</P><P>flag inven= something&nbsp;</P><P>join&nbsp;</P><P>lookup &lt;&gt;<BR />flag &nbsp;splunk=something</P><P>so we can use |stats values by flag<BR />Whether this logic is correct? If it is ok give a exact query or suggest me something different query &nbsp;</P><P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;&nbsp;</P> Fri, 08 Dec 2023 20:15:50 GMT https://community.splunk.com/t5/Splunk-Search/Identify-missing-servers/m-p/671312#M230068 Muthu_Vinith 2023-12-08T20:15:50Z https://community.splunk.com/t5/Splunk-Search/Identify-missing-servers/m-p/671314#M230070 <P>The first query I gave you should have worked, but the logic you just suggested should work, too.&nbsp; This query marks servers from the index as "indexed" and those from the lookup file as "lookup".&nbsp; After combining the results by server name, it keeps only the servers found in the index.</P><LI-CODE lang="markup">index=abc host=def_inven | eval inven="indexed" | append [ | inputlookup mylookup.csv | eval inven="lookup" ] | stats values(*) as * by server | where (mvcount(inven)=1 AND isnotnull(mvfind(inven,"indexed")))</LI-CODE><P>&nbsp;</P> Fri, 08 Dec 2023 20:23:49 GMT https://community.splunk.com/t5/Splunk-Search/Identify-missing-servers/m-p/671314#M230070 richgalloway 2023-12-08T20:23:49Z https://community.splunk.com/t5/Splunk-Search/Identify-missing-servers/m-p/671341#M230079 <P>It Works, Thank You&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</P> Sat, 09 Dec 2023 07:11:21 GMT https://community.splunk.com/t5/Splunk-Search/Identify-missing-servers/m-p/671341#M230079 Muthu_Vinith 2023-12-09T07:11:21Z https://community.splunk.com/t5/Splunk-Search/Identify-missing-servers/m-p/671362#M230090 <P>If your problem is resolved, then please click the "Accept as Solution" button to help future readers.</P> Sat, 09 Dec 2023 13:20:43 GMT https://community.splunk.com/t5/Splunk-Search/Identify-missing-servers/m-p/671362#M230090 richgalloway 2023-12-09T13:20:43Z