Solved: Re: How to do a match of fields between a CSV file...

jip31 · ‎08-18-2018

Hello
I want to do a match between a CSV file and my SPLUNK search
In the CSV file, I want that the field "host" which correspond to a list of computers name match with my searches
It means that for every host I want to match the free disk space, the date of lastlogon and last reboot etc....
Could you help me, please?

| join type=outer host [inputlookup append=t NZDL.csv] | (index="perfmon" sourcetype="perfmon:logicaldisk" instance=c: counter="Free Megabytes" OR counter="% Free Space") 
OR (index="windows-wmi" sourcetype="WMI:LastLogon") 
OR (index="windows-wmi" sourcetype="WMI:LastReboot" LastBootUpTime) 
OR (index="windows-wmi" sourcetype="wmi:MemorySize") 
OR (index=windows sourcetype=winregistry earliest=-120d 
key_path="\\registry\\machine\\software\\wow6432node\\xx\\master\\ConfigurationCountry" OR 
key_path="\\registry\\machine\\software\\wow6432node\\xx\\master\\WindowsVersion" OR 
key_path="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId" OR 
key_path="\\registry\\machine\\software\\wow6432node\\airbus\\master\\PatchLevel") 
OR (index="windows-wmi" sourcetype="WMI:PeriphIssue" Caption=Mobile ConfigManagerErrorCode)

jkat54 · ‎08-19-2018

Put the join last

index=perfmon ... | join host ... [|inputlookup ...]

View solution in original post

skoelpin · ‎08-19-2018

You won't be able to query 2 indexes like that. You will also need to do a subsearch

jip31 · ‎08-19-2018

There is more than 2 index 😉 at the beginning my code was made with a join host in each search and it was working... What do you intend by subsearch??

jkat54 · ‎08-19-2018

Put the join last

index=perfmon ... | join host ... [|inputlookup ...]

jkat54 · ‎08-19-2018

Also noted you didn’t have | before inputlookup in your join. The pipe has to be there for generating commands to generate.

jip31 · ‎08-19-2018

Hello i m going To test with join last and the pipe
Concerning the lowercase you mean that the CSV doesnt like uppercase? Thanks

jkat54 · ‎08-19-2018

header / field name should be “host” not “host ame” or “HOST” etc.

jip31 · ‎08-19-2018

Ah ok. Its Well host...

jkat54 · ‎08-19-2018

So does it work?

jip31 · ‎08-19-2018

I could test tomorrow morning. I keep you aware on the forum....

jip31 · ‎08-20-2018

hi

i done it but there is no matching with the field "host" in my CSV....

(index="perfmon" sourcetype="perfmon:logicaldisk" instance=c: counter="Free Megabytes" OR counter="% Free Space") 
OR (index="windows-wmi" sourcetype="WMI:LastLogon") 
OR (index="windows-wmi" sourcetype="WMI:LastReboot" LastBootUpTime) 
OR (index="windows-wmi" sourcetype="wmi:MemorySize") 
OR (index=windows sourcetype=winregistry earliest=-120d 
key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\ConfigurationCountry" OR 
key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\WindowsVersion" OR 
key_path="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId" OR 
key_path="\\registry\\machine\\software\\wow6432node\\airbus\\master\\PatchLevel") 
OR (index="windows-wmi" sourcetype="WMI:PeriphIssue" Caption=Mobile ConfigManagerErrorCode) 
OR (index=windows sourcetype=tools:flags filename=*ABDM-TOUPDATE*) 

| join host [|inputlookup append=t NZDL.csv]

jkat54 · ‎08-20-2018

what are you trying to join to in the lookup?

I mentioned you must have host in the lookup for it to work.

jkat54 · ‎08-20-2018

This is a really expensive search btw. In large enough data sets it could out of memory your splunks. Be careful and YMMV!

jkat54 · ‎08-19-2018

make sure the lookup has lowercase host in it

How to do a match of fields between a CSV file and my SPLUNK search?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor