Hello, I need to generate an automatic lookup to match certain hosts for a project i'm working on.
the thing is, I have a list of server in my scope, but this list contains sometimes only hostnames, and other times the full FQDN, and that may differ from what I have on my host field on splunk metadata.
example of the csv:
"host" ,"description"
host1, dboraclehost1
host2, dboraclehost2
host3.mydomain.net, dboraclehost3
host4, "host4"
host5.dathost,net, "thehost5"
and in splunk, on my host field I may have:
host1.mydomain.net
host5
host3
host4,thedomain.com
If that can be achievable via UI would be the best, but I can still do it with the .conf files.
best regards!
You need your lookup to contain the wildcard (and in the correct place) so your lookup needs to look like this:
host, description
host1*, dboraclehost1
host2*, dboraclehost2
host3*, dboraclehost3
host4*, host4description
host5*, host5description
Then you need to create a lookup definition. You can do this via the UI
Give it a name, and select file-based and select your lookup.csv
- make sure to tick advanced options, and specify WILDCARD(host)
under match type.
You can then search like:
<your search>|lookup host_description_definition host OUTPUT description
And make it automatic if you wish
You need your lookup to contain the wildcard (and in the correct place) so your lookup needs to look like this:
host, description
host1*, dboraclehost1
host2*, dboraclehost2
host3*, dboraclehost3
host4*, host4description
host5*, host5description
Then you need to create a lookup definition. You can do this via the UI
Give it a name, and select file-based and select your lookup.csv
- make sure to tick advanced options, and specify WILDCARD(host)
under match type.
You can then search like:
<your search>|lookup host_description_definition host OUTPUT description
And make it automatic if you wish
thanks, I also made a report which formats the hostnames to hostname*
this includes hosts which cannot be resolved, ill host the query in case someone needs something similar:
(this works only if a previous unformatted lookup is present. this report formats it)
#lookup filler hosts
| inputlookup preliminar_hosts.csv
| rex field=host "(?<host>\d{1,}\.\d{1,}\.\d{1,}\.\d{1,}|[^.]+)"
| eval host=(host + "*"), is_in_scope=1
| outputlookup processed_hosts.csv
then with processed_hosts.csv, I made an automatic lookup which delivers the description and is_in_scope fields for every match.
thanks a lot!!