Solved: Re: How do I run an Excel report against a search?

Greendav · ‎10-10-2018

I have an Excel report of hundreds of servers that i need to verify are reporting to Splunk. Is there a fast way to find all of the host in this Excel form and run it within Splunk? Possibly by creating a lookup or some other way?

Vijeta · ‎10-10-2018

You can upload your Excel as a CSV lookup table in Splunk and then, using the command line, create a search that searches the index for server field and looks up in the lookup table . Make sure the field that you are looking at has the same name in lookup and index.

index=<yourindex> |dedup host| join type=Outer host[|inputlookup <yourlookup.csv>| eval flag="Yes"] | table host flag

The output will give you list of all servers with flag Yes or null. If flag is null means server is not reporting in Splunk

View solution in original post

iamarkaprabha · ‎10-10-2018

Hi

You can use inputlookup for that one.
Put your spl query and then join by using the same csv file using it as inputlookup . Join those two data by putting the same field. Please note filed name will need to be same.

Spl query | join fieldname [|inputlookup ]

Vijeta · ‎10-10-2018

You can upload your Excel as a CSV lookup table in Splunk and then, using the command line, create a search that searches the index for server field and looks up in the lookup table . Make sure the field that you are looking at has the same name in lookup and index.

index=<yourindex> |dedup host| join type=Outer host[|inputlookup <yourlookup.csv>| eval flag="Yes"] | table host flag

The output will give you list of all servers with flag Yes or null. If flag is null means server is not reporting in Splunk

Greendav · ‎10-10-2018

So this method worked for the most part but the results are not showing anything in the Flag column. There isnt a Yes or a Null response under flag.

My search looks like

Vijeta · ‎10-10-2018

If the host in lookup matches with the lookup only then the flag will be Yes else it will be null(blank).
Also please check the column name in your lookup is host , I believe you are using csv lookup so please use inputlookup LiveServers.csv

Greendav · ‎10-11-2018

I still have had no luck. I ran the search yesterday and it never completed. As the table continues to build im seeing a null status (no results) in the flag column for none of the servers. Making it appear that none of the servers are currently pulling logs into splunk .

Vijeta · ‎10-11-2018

what does your lookup look like? how much rows your lookup has?
Try this

index=wineventlog |stats count by host| join type=Outer host[|inputlookup LiveServers.csv| eval flag="Yes"|fields flag] | table *

Greendav · ‎10-11-2018

The lookup file has one row. beginning with "host" in the first column. Should i have the CSV setup differently?

Vijeta · ‎10-11-2018

Please upload your lookup as a csv type and give the lookup name with csv extension like .csv

How do I run an Excel report against a search?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation