Getting Data In

How to do a match of fields between a CSV file and my SPLUNK search?

jip31
Motivator

Hello
I want to do a match between a CSV file and my SPLUNK search
In the CSV file, I want that the field "host" which correspond to a list of computers name match with my searches
It means that for every host I want to match the free disk space, the date of lastlogon and last reboot etc....
Could you help me, please?

| join type=outer host [inputlookup append=t NZDL.csv] | (index="perfmon" sourcetype="perfmon:logicaldisk" instance=c: counter="Free Megabytes" OR counter="% Free Space") 
OR (index="windows-wmi" sourcetype="WMI:LastLogon") 
OR (index="windows-wmi" sourcetype="WMI:LastReboot" LastBootUpTime) 
OR (index="windows-wmi" sourcetype="wmi:MemorySize") 
OR (index=windows sourcetype=winregistry earliest=-120d 
key_path="\\registry\\machine\\software\\wow6432node\\xx\\master\\ConfigurationCountry" OR 
key_path="\\registry\\machine\\software\\wow6432node\\xx\\master\\WindowsVersion" OR 
key_path="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId" OR 
key_path="\\registry\\machine\\software\\wow6432node\\airbus\\master\\PatchLevel") 
OR (index="windows-wmi" sourcetype="WMI:PeriphIssue" Caption=Mobile ConfigManagerErrorCode) 
0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

Put the join last

index=perfmon ... | join host ... [|inputlookup ...]

View solution in original post

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You won't be able to query 2 indexes like that. You will also need to do a subsearch

0 Karma

jip31
Motivator

There is more than 2 index 😉 at the beginning my code was made with a join host in each search and it was working... What do you intend by subsearch??

0 Karma

jkat54
SplunkTrust
SplunkTrust

Put the join last

index=perfmon ... | join host ... [|inputlookup ...]
0 Karma

jkat54
SplunkTrust
SplunkTrust

Also noted you didn’t have | before inputlookup in your join. The pipe has to be there for generating commands to generate.

0 Karma

jip31
Motivator

Hello i m going To test with join last and the pipe
Concerning the lowercase you mean that the CSV doesnt like uppercase? Thanks

0 Karma

jkat54
SplunkTrust
SplunkTrust

header / field name should be “host” not “host ame” or “HOST” etc.

0 Karma

jip31
Motivator

Ah ok. Its Well host...

0 Karma

jkat54
SplunkTrust
SplunkTrust

So does it work?

0 Karma

jip31
Motivator

I could test tomorrow morning. I keep you aware on the forum....

0 Karma

jip31
Motivator

hi

i done it but there is no matching with the field "host" in my CSV....

(index="perfmon" sourcetype="perfmon:logicaldisk" instance=c: counter="Free Megabytes" OR counter="% Free Space") 
OR (index="windows-wmi" sourcetype="WMI:LastLogon") 
OR (index="windows-wmi" sourcetype="WMI:LastReboot" LastBootUpTime) 
OR (index="windows-wmi" sourcetype="wmi:MemorySize") 
OR (index=windows sourcetype=winregistry earliest=-120d 
key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\ConfigurationCountry" OR 
key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\WindowsVersion" OR 
key_path="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId" OR 
key_path="\\registry\\machine\\software\\wow6432node\\airbus\\master\\PatchLevel") 
OR (index="windows-wmi" sourcetype="WMI:PeriphIssue" Caption=Mobile ConfigManagerErrorCode) 
OR (index=windows sourcetype=tools:flags filename=*ABDM-TOUPDATE*) 

| join host [|inputlookup append=t NZDL.csv]
0 Karma

jkat54
SplunkTrust
SplunkTrust

what are you trying to join to in the lookup?

I mentioned you must have host in the lookup for it to work.

0 Karma

jkat54
SplunkTrust
SplunkTrust

This is a really expensive search btw. In large enough data sets it could out of memory your splunks. Be careful and YMMV!

0 Karma

jkat54
SplunkTrust
SplunkTrust

make sure the lookup has lowercase host in it

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...