topic How to return a list of hosts from a lookup table, but not in events? in Splunk Search

How to return a list of hosts from a lookup table, but not in events?

chrisfrigo — Thu, 18 Jun 2015 05:30:37 GMT

Hi,

I'm using a lookup table with approx 107,000 lines and 6MB in size. Trying to display a list of hosts which are in a lookup table, but not in the Splunk events. The below search seems to work, but not effectively. The results display 96,648. I'm expecting more around 50,000. When I search a host which is in the results, it is contained in the Splunk events which validates it's not effective. Any idea whether there are limits on size of lookup tables?

| inputlookup workstations | rename fielda AS fieldb | dedup fieldb | search NOT [search index=index-name  | dedup fieldb | fields fieldb]

Re: How to return a list of hosts from a lookup table, but not in events?

HiroshiSatoh — Thu, 18 Jun 2015 06:09:15 GMT

What with this?

Re: How to return a list of hosts from a lookup table, but not in events?

chrisfrigo — Thu, 18 Jun 2015 07:22:23 GMT

I see what your saying, the results should be minimal. but they are not matching. of the total 86,000 events, there are 76,000 display.

I will try reduce the CSV size

Re: How to return a list of hosts from a lookup table, but not in events?

chrisfrigo — Fri, 19 Jun 2015 04:48:02 GMT

Ended up being subsearch limit to 10500 lines. updated the maxout and now working.

http://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/Limitsconf

Re: How to return a list of hosts from a lookup table, but not in events?

vganjare — Fri, 19 Jun 2015 05:40:44 GMT

You can try using multisearch command. e.g.

| multisearch [| inputlookup workstations | rename fielda AS fieldb | dedup fieldb | eval LOOKUP_CHECK="YES"] [search index=index-name  | dedup fieldb | fields fieldb | eval INDEX_CHECK="YES"] | stats values(LOOKUP_CHECK) as LOOKUP_CHECK, values(INDEX_CHECK) as INDEX_CHECK by fieldb | fillnull values="NULL" LOOKUP_CHECK | search LOOKUP_CHECK="NULL"

Thanks!!