Getting Data In

Automatic lookup to match hostnames with and without FQDN

3DGjos
Communicator

Hello, I need to generate an automatic lookup to match certain hosts for a project i'm working on.

the thing is, I have a list of server in my scope, but this list contains sometimes only hostnames, and other times the full FQDN, and that may differ from what I have on my host field on splunk metadata.

example of the csv:

"host" ,"description"
host1, dboraclehost1
host2, dboraclehost2
host3.mydomain.net, dboraclehost3
host4, "host4"
host5.dathost,net, "thehost5"

and in splunk, on my host field I may have:
host1.mydomain.net
host5
host3
host4,thedomain.com

If that can be achievable via UI would be the best, but I can still do it with the .conf files.

best regards!

0 Karma
1 Solution

nickhills
Ultra Champion

You need your lookup to contain the wildcard (and in the correct place) so your lookup needs to look like this:

host, description
host1*, dboraclehost1
host2*, dboraclehost2
host3*, dboraclehost3
host4*, host4description
host5*, host5description

Then you need to create a lookup definition. You can do this via the UI
Give it a name, and select file-based and select your lookup.csv
- make sure to tick advanced options, and specify WILDCARD(host) under match type.

You can then search like:
<your search>|lookup host_description_definition host OUTPUT description

And make it automatic if you wish

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

nickhills
Ultra Champion

You need your lookup to contain the wildcard (and in the correct place) so your lookup needs to look like this:

host, description
host1*, dboraclehost1
host2*, dboraclehost2
host3*, dboraclehost3
host4*, host4description
host5*, host5description

Then you need to create a lookup definition. You can do this via the UI
Give it a name, and select file-based and select your lookup.csv
- make sure to tick advanced options, and specify WILDCARD(host) under match type.

You can then search like:
<your search>|lookup host_description_definition host OUTPUT description

And make it automatic if you wish

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

3DGjos
Communicator

thanks, I also made a report which formats the hostnames to hostname*

this includes hosts which cannot be resolved, ill host the query in case someone needs something similar:

(this works only if a previous unformatted lookup is present. this report formats it)

#lookup filler hosts
| inputlookup preliminar_hosts.csv
| rex field=host "(?<host>\d{1,}\.\d{1,}\.\d{1,}\.\d{1,}|[^.]+)"  
| eval host=(host + "*"), is_in_scope=1
| outputlookup processed_hosts.csv

then with processed_hosts.csv, I made an automatic lookup which delivers the description and is_in_scope fields for every match.

thanks a lot!!

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!