Re: How to extract the live hostname and IP from a...

ShastaFoz · ‎05-04-2023

Currently I have a search and report that is producing the live data we need. It is names as an example: "look now"...two words with a space in between. So if I want to check if a host is on line we type in the search:

look now hostname splunkserver1

We get current IP, MAC, Hostname, user etc.

Rather than doing this one at a time I would like to load a csv file with like 200 hostnames then have Splunk look up that information in the CSV file, match it to what is live (one the network) then provide me with the I information; IP, MAC, Hostname, user etc.

I have successfully got a list to run but it was only the csv file. No matching.

Then tried this look now = ([| inputlookup hostlu.csv |fields hostname])

and got the list but only the host name without IP, mac etc and the error: Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the right hand side

look now {can look at all the hosts that are on or have been on.}

hostlu.csv {the file that will be loaded manually daily with just the host names}

Thanks for the help in advance.

gcusello · ‎05-04-2023

Hi @ShastaFoz,

did you explored the lookup command (https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Lookup)?

Something like this (if the hostname field is the same both in main search and lookup):

<your-search>
| lookup hostlu.csv hostname OUTPUT  IP MAC Hostname user
| ...

if you could share your code, I'll be more detailed.

One additional information: if possible, avoid spaces in field names because in this case you have to use quotes every time, if you must have them, make a rename of them

Ciao.

Giuseppe

How to extract the live hostname and IP from a csv file with just the hostname

other

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024