https://community.splunk.com/t5/Splunk-Search/Search-to-find-missing-data-using-lookup-table-with-multiple/m-p/236623#M70298 <P>When I run:</P> <P>| inputlookup netdevices_new | search NOT [search index=network | rex field=_raw "^(?:[^ \n]* ){4}(?P&lt; c &gt;[^ ]+)" | stats c by netdevice, ip | fields - c ]</P> <P>The output is all hosts in the lookup file.</P> <P>I think this is what you meant since the &lt; c &gt; after ?P was truncated.</P> <P>Thank you,</P> Tue, 29 Sep 2020 09:00:33 GMT GersonGarcia 2020-09-29T09:00:33Z https://community.splunk.com/t5/Splunk-Search/Search-to-find-missing-data-using-lookup-table-with-multiple/m-p/236621#M70296 <P>Hello,</P> <P>I am trying to find missing data in Splunk from a lookup table using inputlookup. My lookup table is:</P> <P><STRONG>netdevices_new</STRONG><BR /> netdevice,ip,type<BR /> host1,10.10.10.1,router<BR /> host2,10.10.10.2,router<BR /> host3,10.10.10.3,firewall<BR /> host4,10.10.10.4,switch</P> <P>If I run these searches they work just fine:</P> <P>For <STRONG>hostnames</STRONG>:</P> <PRE><CODE>| inputlookup netdevices_new | search NOT [search index=network | rex field=_raw "^(?:[^ \n]* ){4}(?P[^ ]+)" | dedup netdevice | fields netdevice ] </CODE></PRE> <P>For <STRONG>IPs</STRONG>:</P> <PRE><CODE>| inputlookup netdevices_new | search NOT [search index=network | rex field=_raw "^(?:[^ \n]* ){4}(?P[^ ]+)" | dedup ip | fields ip ] </CODE></PRE> <P>How can I search for both netdevice and ip at the same time?</P> <P>The events in in the network index can have both hostname and ips.</P> <P>Thank you,</P> <P>Gerson Garcia</P> Wed, 09 Mar 2016 00:05:34 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-find-missing-data-using-lookup-table-with-multiple/m-p/236621#M70296 GersonGarcia 2016-03-09T00:05:34Z https://community.splunk.com/t5/Splunk-Search/Search-to-find-missing-data-using-lookup-table-with-multiple/m-p/236622#M70297 <P>Try this</P> <P>| inputlookup netdevices_new | search NOT [search index=network | rex field=_raw "^(?:[^ \n]* ){4}(?P[^ ]+)" | stats c by netdevice, ip | fields - c ]</P> <P>If you don't have both fields ip netdevice change your rex accordingly. Idea here is you need to pass both the field combination to search. </P> <P>If your lookup doesn't have all the possible combination you need to write another subsearch</P> Tue, 29 Sep 2020 09:01:18 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-find-missing-data-using-lookup-table-with-multiple/m-p/236622#M70297 vasanthmss 2020-09-29T09:01:18Z https://community.splunk.com/t5/Splunk-Search/Search-to-find-missing-data-using-lookup-table-with-multiple/m-p/236623#M70298 <P>When I run:</P> <P>| inputlookup netdevices_new | search NOT [search index=network | rex field=_raw "^(?:[^ \n]* ){4}(?P&lt; c &gt;[^ ]+)" | stats c by netdevice, ip | fields - c ]</P> <P>The output is all hosts in the lookup file.</P> <P>I think this is what you meant since the &lt; c &gt; after ?P was truncated.</P> <P>Thank you,</P> Tue, 29 Sep 2020 09:00:33 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-find-missing-data-using-lookup-table-with-multiple/m-p/236623#M70298 GersonGarcia 2020-09-29T09:00:33Z https://community.splunk.com/t5/Splunk-Search/Search-to-find-missing-data-using-lookup-table-with-multiple/m-p/236624#M70299 <P>HI<BR /> try this search code</P> <PRE><CODE>| inputlookup netdevices_new | search NOT [search index=network | rex field=_raw "^(?:[^ \n]* ){4}(?P[^ ]+)" |stats count by ip netdevice| dedup ip netdevice | fields ip netdevice ] </CODE></PRE> Wed, 09 Mar 2016 08:07:39 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-find-missing-data-using-lookup-table-with-multiple/m-p/236624#M70299 chimell 2016-03-09T08:07:39Z