I've a lookup file which have a mount list with respective servers. Now I have a script which logs the mount available in every 15 min. I want to create an alert if there is any mount missing from what is mentioned in lookup file. Example -
lookup file (host_mount.csv)-
Host,Mount_to_monitor
host1,/opt
host1,/var
host1,/usr
host2,/var
host2,/foo
host3,/bar
host3,/usr
Say my search result table from log of script like -
HostName,Mount
host1,/opt
host1,/usr
host2,/var
host2,/foo
host3,/bar
Which means the diff which is missing would be -
Host,Missing_mount
host1,/var
host3,/usr
How should i do this?
There can be multiple ways to do this. One is using set diff
command, other is appending both result and filtering after applying stats and other one is using subsearch filter (see @renjith.nair's answer). See this for set diff
implementation:
https://answers.splunk.com/answers/151315/how-to-find-differences-between-two-searches-with-set-diff...
http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Set
For stats, you'd do something like this
Fixed Typo
search that gives result with fields HostName,Mount
| eval from="search"
| append [| inputlookup host_mount.csv | table Host,Mount_to_monitor | rename Host as HostName Mount_to_monitor as Mount | eval from="lookup"]
| stats values(from) as from by HostName Mount | where mvcount(from)=1 AND from="lookup"
| table HostName Mount | rename Mount as Missing_Mount
Been looking for a similar usecase and I think your answer serves me right!!
This gives the values that are in lookup but not in the search right?? TIA.
Exactly that way. For that reason there is field “from”.
r. Ismo
Unknown search command 'inputlooklup'.
There was a typo. It should be "inputlookup". Fixed that now.
@anirban_nag,
Try
|inputlookup "yourlookup terms"|search NOT ["your search for log files]