Solved: how to build a search with lookup file

Ruben_sb1 · ‎09-08-2020

Hello,

I would like to know how to build a search with using lookup result

I mean

I have a list(assent_server.csv) with my servers with the follow filds (ip,priority,nt_host)

Ejemple:

ip,priority,nt_host

10.10.1.1,critical,SERVER01

10.10.1.2,critical,SERVER02

So I need to create the next to:

Search any servers that I have in the file assent_server.csv and get the log fiels.

I had tried with this search

1)index="win*" host=[|inputlookup asset_list | fields ip]

2)index="win*" | search host=[|inputlookup asset_list | fields nt_host]

but I get this result:

Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the right hand side:

isoutamo · ‎09-12-2020

Hi

please try

index="win*" [|inputlookup asset_list | fields ip | rename ip as host | format]

r. Ismo

View solution in original post

Ruben_sb1 · ‎09-11-2020

i have the same error 😞

isoutamo · ‎09-12-2020

Hi

please try

index="win*" [|inputlookup asset_list | fields ip | rename ip as host | format]

r. Ismo

Ruben_sb1 · ‎09-12-2020

perfect,

but

Can you say me why it work?
what is the splunk's logica.

isoutamo · ‎09-12-2020

You understand it after you run only that sub search, read what the format do and then remember that sub search has run first. Basically the result of sub search has added to main search and then it has ran.
r. Ismo

isoutamo · ‎09-12-2020

Can you show index=win* what kind of events you have?

Ruben_sb1 · ‎09-12-2020

hello.

I tried but I haven't gotten result the result was 0

ITWhisperer · ‎09-08-2020

Can you try something like

index="win*" host IN [|inputlookup asset_list | fields ip]

how to build a search with lookup file

configuration

Splunk Investigate

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!