Hello,
I would like to know how to build a search with using lookup result
I mean
I have a list(assent_server.csv) with my servers with the follow filds (ip,priority,nt_host)
Ejemple:
ip,priority,nt_host
10.10.1.1,critical,SERVER01
10.10.1.2,critical,SERVER02
10.10.1.2,critical,SERVER02
So I need to create the next to:
Search any servers that I have in the file assent_server.csv and get the log fiels.
I had tried with this search
1)index="win*" host=[|inputlookup asset_list | fields ip]
2)index="win*" | search host=[|inputlookup asset_list | fields nt_host]
but I get this result:
Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the right hand side:
Hi
please try
index="win*" [|inputlookup asset_list | fields ip | rename ip as host | format]
r. Ismo
i have the same error 😞
Hi
please try
index="win*" [|inputlookup asset_list | fields ip | rename ip as host | format]
r. Ismo
perfect,
index="win*" [|inputlookup asset_list | search priority="critical" | fields nt_host |rename nt_host as host | format]| top limit=2000 host
but
Can you say me why it work?
what is the splunk's logica.
hello.
I tried but I haven't gotten result the result was 0
Can you try something like
index="win*" host IN [|inputlookup asset_list | fields ip]