I have a list of hosts on a lookup around 40 hosts. For the list of hosts I want to check the list of sourcetypes like below
search 1 :-
host="host1" | stats count by sourcetype
search 2 :-
host="host2" | stats count by sourcetype
and so on upto search 40 which contains the host 40 which is a long process and time consuming one. Instead is there any way to use all the hosts from the lookup tables in a query and display the available sourcetypes for each host?
The lookup file name is ABCD.csv
Also I dont want the stats count I just want the list of sourcetypes for each host like below
and so on.
ABCD.csv lookup contains only the hostname, ip_address with the values as below
So I have tried the below query
| tstats values(sourcetype) WHERE index=* AND [|inputlookup ABCD.csv | eval host=lower(host_name) | eval host=mvindex(split(host,"."),0) | table host ] BY host
OK, then this:
| tstats values(sourcetype) WHERE index=* AND [|inputlookup ABCD.csv | table ip | rename ip AS host | appendpipe [|inputlookup ABCD.csv | table host_name | rename host_name AS host ]] BY host
Yes @woodcock. Still the same error which is below
"error in 'TsidxStats': WHERE clause is not an exact query"
I am using the following query and getting the above error not sure why
| tstats values(sourcetype) WHERE index=* AND [|inputlookup ABCD.csv | eval hostname=lower(hostname) | eval hostname=mvindex(split(hostname,"."),0) | table hostname | rename hostname AS host ] BY host