I Need to take a CSV file as input with a list of UF hostnames and check if they are reporting to splunk deployment server in a dashbaord
Thank you so much for the response, Is it possible to make the users upload the csv file into a dashbaord instead of a lookup file?
Hi @arunsundarm,
You could also use the commain inputcsv, that probably works, but I usually use a lookup, and I hint to use the same approach.
Ciao.
Giuseppe
Hi @arunsundarm,
you could run something like this:
| metasearch index=_internal
| dedup host
| table host
| outputlookup perimeter.csv
in this way you have a list of host that reported in a period (e.g. last month) and the list is saved in a lookup called perimeter.cav.
You can manage this lookup in two ways:
the first solution is easier but gives you less control: is there's an host that didn't connect in the last month you don't detect the missing one.
The second solution, requires more work, but gives you more control.
To my customers, I hint the second solution!
Then you can run a search like this to check if there's some host missing:
| metasearch index=_internal
| eval host=lower(host)
| stats count BY host
| append [
| inputlookup perimeter.csv
| eval host=lower(host), count=0
| fields host count
]
| stats sum(count) AS total BY host
| where total=0
Ciao.
Giuseppe