Bonjour à tous,
Ci dessous ma recherche (pas très propre, je suis novice 🙂 )
Par contre j'ai une idée, j'ai regroupé tous les host dans un fichier CSV et j'aimerai obtenir le même resultat que dans la recherche actuelle. comment proceder? je sais que pour ajouter un fichier CSV à une recherche il faut faire |inputlookup "nomdufichier" , quel sera la suite dans mon cas? comment puis je ajouter l'index?
Merci à tous.
Look at sub searches to add search conditions to the main search.
index=AAAA [ |inputlookup mylookup.csv | table host ]
will turn into
index=AAAA ( host=1 OR host=2 OR host=3 )
Hello,
It doesn't work, here's my research:
index="dc_winaudit" host=IN1101D9 OR host=IN1101DA OR host=IN1101DB OR host="IN1101DC" OR host="in1101dd" OR host="IN1101DE" OR host="IN1102D1" OR host="IN1102D2" OR host="IN1102D3" OR host="IN1102D4" OR host="IN1102D5" OR host="IN1102D7" OR host="IN1102D8" OR host="IN1102DC" OR host="IN1102DD" OR host="IN1102DE" OR host="IN1102DG" OR host="IN1102DH" OR host="IN1102DI" OR host="IN1102DJ" OR host="IN1104D1" OR host="IN1104D2" OR host="IN1104D3" OR host="IN1104D4" OR host="IN1104D5" OR host="IN1104D6" OR host="IN1104D7" OR host="IN1104DH" OR host="IN1104DI" OR host="IN1104DJ" OR host="IN4000D2" OR host="IN8000D2" OR host="IN7201D1" OR host="IN7202D2" OR host="IN7202D3" OR host="IN7201D1" OR host="IN7201D2" OR host="IN7201D3" OR host="IN9901D1" OR host="IN9901D2" OR host="IN9901D3" OR host="IN9901D4" OR host="IN9902D1" OR host="IN9902D2" OR host="IN9902D3" OR host="IN9902D4"
|rename Target_Domain as Domaine
|table host Domaine
|dedup host
|eval collecte=if(action = success,"Non","Oui")
I created a csv file to simplify, in my CSV file there is only one column it is the one of the host.
I would like to know how I can get exactly the same results by doing my search this time with my csv file and index.
thank you
second remark , do not use a table and dedup in that order, it's expensive as the table can only happen on the sh, rely on the map reduce capabilities of splunk to get the work done on the indexers.
|table host Domaine
|dedup host
try
|dedup host
| table host Domaine
if your lookup file is a csv "mycsvlookup.csv" or "mycsvlookup", with a single column "host"
You should be able to call it with
| inputlookup mycsvlookup
now try
index="dc_winaudit" [ | inputlookup mycsvlookup | table host ]
or maybe
index="dc_winaudit" [ search | inputlookup mycsvlookup | table host ]