- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Comparing hosts not reporting to a separate lookup...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Comparing hosts not reporting to a separate lookup and adding supplemental information
I came across a posting that had the following search which works amazingly well:
| metadata index=* type=hosts | eval age = now()-lastTime | where age > (2*86400) | sort age d | convert ctime(lastTime) | fields age,host,lastTime
My question is, how can I take the results of this search and compare it with a lookup? My dblookup contains a lot of valuable information that a CMDB would contain (Domain Notes OS app_owner applications business_unit host host_with_fqdn patch_cycle primary_contact secondary_contact serial server_model server_platform server_status server_type site)
Specifically I am looking to know all the hosts that are present in both the results of the search above, with the lookup table I already have, and pull in the status (retired or active), and possibly supplement the results with some of the additional information that might be valuable in the lookup table.
Basically inventory control
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're using dblookup using dbconnect try something like this (http://docs.splunk.com/Documentation/DBX/1.1.4/DeployDBX/Setupadatabaselookuptable#Create_a_lookup_b...)
| metadata index=* type=hosts | eval age = now()-lastTime | where age > (2*86400) | sort age d | convert ctime(lastTime) | fields age,host,lastTime | lookup local=1 yourdblookup host OUTPUT add Your Columns here | table age,host,lastTime Your Columns here
For regular csv lookup tables, pretty much the same.
| metadata index=* type=hosts | eval age = now()-lastTime | where age > (2*86400) | sort age d | convert ctime(lastTime) | fields age,host,lastTime | lookup yourdblookup.csv host OUTPUT add Your Columns here | table age,host,lastTime Your Columns here
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You also have to add | where isnotnull(SomeFieldInYourLookupFile) to strip out the hosts that are not found. This solution is better than mine because it does not use a subsearch.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
| metadata index=* type=hosts | eval age = now()-lastTime | where age > (2*86400) | sort age d | convert ctime(lastTime) | fields age,host,lastTime | eval type=metadata | append [|inputlookup max=0 YourLookup | eval type=lookup] | stats values(*) AS * | where mvcount(type)=2
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
