topic Re: Not getting results to lookup command in Splunk Search

Not getting results to lookup command

Nagalakshmi — Thu, 29 Feb 2024 17:00:33 GMT

Hi,

Need your assistance below

We have created new csv lookup and we are using the below query but we are getting all the data from the index & sourcetype . we need to get the events only for the hosts which mentioned on the lookup is the requirement

Lookup name : Win_inventory.CSV used only one column called Server_name

index=Nagio sourcetype=nagios:core:hard |lookup Win_inventory.CSV Server_name as host_name OUTPUTNEW Server_name.

Server_name is not an existing interesting field

Re: Not getting results to lookup command

richgalloway — Thu, 29 Feb 2024 16:56:08 GMT

The current query will fetch all data from the index and then lookup the Server_name field. To fetch only the hosts in the lookup file from the index, use a subsearch.

index=Nagio sourcetype=nagios:core:hard [ | inputlookup Win_inventory.CSV | fields Server_name | rename Server_name as host_name ]

Re: Not getting results to lookup command

Nagalakshmi — Thu, 29 Feb 2024 19:19:16 GMT

Hi @richgalloway ,

I used the above query, it is showing 0 events

Re: Not getting results to lookup command

richgalloway — Thu, 29 Feb 2024 20:27:37 GMT

Make sure the Nagio index contains a field called "host_name". If it does not, then change the rename command to make the Server_name field match a field name in the index.