Splunk Search

Comment utilisez inputlookup et un index

numeroinconnu12
Path Finder

Bonjour à tous,

Ci dessous ma recherche (pas très propre, je suis novice 🙂 )

Par contre j'ai une idée, j'ai regroupé tous les host dans un fichier CSV et j'aimerai obtenir le même resultat que dans la recherche actuelle. comment proceder? je sais que pour ajouter un fichier CSV à une recherche il faut faire |inputlookup "nomdufichier" , quel sera la suite dans mon cas? comment puis je ajouter l'index?

Merci à tous.

0 Karma

yannK
Splunk Employee
Splunk Employee

Look at sub searches to add search conditions to the main search.

index=AAAA [ |inputlookup mylookup.csv | table host ]

will turn into

index=AAAA ( host=1 OR host=2 OR host=3 )

0 Karma

numeroinconnu12
Path Finder

Hello,
It doesn't work, here's my research:

index="dc_winaudit" host=IN1101D9 OR host=IN1101DA OR host=IN1101DB OR host="IN1101DC" OR host="in1101dd" OR host="IN1101DE" OR host="IN1102D1" OR host="IN1102D2" OR host="IN1102D3" OR host="IN1102D4" OR host="IN1102D5" OR host="IN1102D7" OR host="IN1102D8" OR host="IN1102DC" OR host="IN1102DD" OR host="IN1102DE" OR host="IN1102DG" OR host="IN1102DH" OR host="IN1102DI" OR host="IN1102DJ" OR host="IN1104D1" OR host="IN1104D2" OR host="IN1104D3" OR host="IN1104D4" OR host="IN1104D5" OR host="IN1104D6" OR host="IN1104D7" OR host="IN1104DH" OR host="IN1104DI" OR host="IN1104DJ" OR host="IN4000D2" OR host="IN8000D2" OR host="IN7201D1" OR host="IN7202D2" OR host="IN7202D3" OR host="IN7201D1" OR host="IN7201D2" OR host="IN7201D3" OR host="IN9901D1" OR host="IN9901D2" OR host="IN9901D3" OR host="IN9901D4" OR host="IN9902D1" OR host="IN9902D2" OR host="IN9902D3" OR host="IN9902D4"
|rename Target_Domain as Domaine
|table host Domaine
|dedup host
|eval collecte=if(action = success,"Non","Oui")

I created a csv file to simplify, in my CSV file there is only one column it is the one of the host.

I would like to know how I can get exactly the same results by doing my search this time with my csv file and index.

thank you

0 Karma

yannK
Splunk Employee
Splunk Employee

second remark , do not use a table and dedup in that order, it's expensive as the table can only happen on the sh, rely on the map reduce capabilities of splunk to get the work done on the indexers.

|table host Domaine
|dedup host

try

|dedup host
| table host Domaine

0 Karma

yannK
Splunk Employee
Splunk Employee

if your lookup file is a csv "mycsvlookup.csv" or "mycsvlookup", with a single column "host"

You should be able to call it with

  | inputlookup mycsvlookup

now try

index="dc_winaudit" [  | inputlookup mycsvlookup | table host ]

or maybe

index="dc_winaudit" [ search | inputlookup mycsvlookup | table host ]
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...