Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to build a search with lookup file

Ruben_sb1
Explorer
‎09-08-2020 11:02 AM

Hello,

I would like to know  how to build a search  with  using lookup result

I mean

 

I have a list(assent_server.csv)  with my  servers  with the follow   filds (ip,priority,nt_host)

 

Ejemple:

ip,priority,nt_host

10.10.1.1,critical,SERVER01

10.10.1.2,critical,SERVER02

10.10.1.2,critical,SERVER02

 

 

So I  need to create the next to:

 

Search  any  servers that  I have in the file assent_server.csv and get  the log fiels.

I  had tried  with this search

1)index="win*" host=[|inputlookup asset_list | fields ip]

2)index="win*"  | search host=[|inputlookup asset_list | fields nt_host] 

but  I get this  result:

Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the right hand side:

 

 

 

 

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎09-12-2020 01:54 AM

Hi

please try 

index="win*" [|inputlookup asset_list | fields ip | rename ip as host | format]

r. Ismo 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Ruben_sb1
Explorer
‎09-11-2020 07:35 AM

i have the same error 😞

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎09-12-2020 01:54 AM

Hi

please try 

index="win*" [|inputlookup asset_list | fields ip | rename ip as host | format]

r. Ismo 

0 Karma
Reply
Solved! Jump to solution

Ruben_sb1
Explorer
‎09-12-2020 08:24 AM

perfect,

 

index="win*" [|inputlookup asset_list | search priority="critical" | fields nt_host |rename nt_host as host | format]| top limit=2000 host

 

but

Can you say me why it work?
what is the splunk's logica.

 

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎09-12-2020 09:26 AM
You understand it after you run only that sub search, read what the format do and then remember that sub search has run first. Basically the result of sub search has added to main search and then it has ran.
r. Ismo
0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎09-12-2020 08:02 AM
Can you show index=win* what kind of events you have?
0 Karma
Reply
Solved! Jump to solution

Ruben_sb1
Explorer
‎09-12-2020 07:06 AM

hello.

 

I tried but I haven't gotten result the result was 0

Ruben_sb1_0-1599919563673.png

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-08-2020 11:40 AM

Can you try something like

index="win*" host IN [|inputlookup asset_list | fields ip]
0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...