Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to build a search with lookup file

Ruben_sb1
Explorer
‎09-08-2020 11:02 AM

Hello,

I would like to know  how to build a search  with  using lookup result

I mean

 

I have a list(assent_server.csv)  with my  servers  with the follow   filds (ip,priority,nt_host)

 

Ejemple:

ip,priority,nt_host

10.10.1.1,critical,SERVER01

10.10.1.2,critical,SERVER02

10.10.1.2,critical,SERVER02

 

 

So I  need to create the next to:

 

Search  any  servers that  I have in the file assent_server.csv and get  the log fiels.

I  had tried  with this search

1)index="win*" host=[|inputlookup asset_list | fields ip]

2)index="win*"  | search host=[|inputlookup asset_list | fields nt_host] 

but  I get this  result:

Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the right hand side:

 

 

 

 

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎09-12-2020 01:54 AM

Hi

please try 

index="win*" [|inputlookup asset_list | fields ip | rename ip as host | format]

r. Ismo 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Ruben_sb1
Explorer
‎09-11-2020 07:35 AM

i have the same error 😞

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎09-12-2020 01:54 AM

Hi

please try 

index="win*" [|inputlookup asset_list | fields ip | rename ip as host | format]

r. Ismo 

0 Karma
Reply
Solved! Jump to solution

Ruben_sb1
Explorer
‎09-12-2020 08:24 AM

perfect,

 

index="win*" [|inputlookup asset_list | search priority="critical" | fields nt_host |rename nt_host as host | format]| top limit=2000 host

 

but

Can you say me why it work?
what is the splunk's logica.

 

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎09-12-2020 09:26 AM
You understand it after you run only that sub search, read what the format do and then remember that sub search has run first. Basically the result of sub search has added to main search and then it has ran.
r. Ismo
0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎09-12-2020 08:02 AM
Can you show index=win* what kind of events you have?
0 Karma
Reply
Solved! Jump to solution

Ruben_sb1
Explorer
‎09-12-2020 07:06 AM

hello.

 

I tried but I haven't gotten result the result was 0

Ruben_sb1_0-1599919563673.png

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-08-2020 11:40 AM

Can you try something like

index="win*" host IN [|inputlookup asset_list | fields ip]
0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...