I have a lookup which in column A is the index and column B is the number of hosts, I have this as a lookup. I would like to be able to query the number of hosts per index I have i.e. if I have three hosts in my lookup but splunk returns two I would like to see that number.
Probably a difficult query but one I am struggling with - thanks in advance!
Hi @Orangebottle76 ,
let me understand:
in the lookup you have in a column the host and in another the count of hosts.
there could be sone hosts without values and you want to check this, is this correct?
if this is your need, as you can read in my answer linked by @SanjayReddy, you need a list of hosts to monitor to insert in another lookup (called e.g. perimeter.csv) containing at least one column with the same fieldname of the first lookup (e.g. host), so you can run a search like this:
| inputlookup your_lookup.csv
| eval host=lower(host)
| stats values(number) AS number BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), number=0 | fields host number ]
| stats sum(number) AS number BY host
in this way you'll have the number of all hosts, also the one not present in the main lookup but present in the perimeter.csv.
Ciao.
Giuseppe
So I have two columns one with an index and the other with the amount of hosts that index has, I just want to query that data from my lookup to that data I have in Splunk. Sorry if I have confused you 🙂
Hi @Orangebottle76,
where are the two columns: in a lookup or they are the result of a search?
if in a lookup, my above search is the solution for your requirement,
if they are the result of a search, you can apply the solution indicated by @SanjayReddy from my previous answer to solve your need.In both cases the approach is:
having a lookup with the hosts to monitor and add the values from this lookup to the search results with count=0, in this way you'll also have the values not present in the main search.
Ciao.
Giuseppe
HI @Orangebottle76
for this similiar requirement @gcusello provided great solution , following answer will help you
https://community.splunk.com/t5/Reporting/How-to-prepare-a-list-of-hosts-that-have-not-reported-in-f...
Hi, that thread does not quite work for me. I have tried but it does not work for what I want.
Thanks.