Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Comparing hosts not reporting to a separate lookup and adding supplemental information

LiquidTension
Path Finder
‎10-13-2015 07:38 AM

I came across a posting that had the following search which works amazingly well:

| metadata index=* type=hosts | eval age = now()-lastTime | where age > (2*86400) | sort age d | convert ctime(lastTime) | fields age,host,lastTime

My question is, how can I take the results of this search and compare it with a lookup? My dblookup contains a lot of valuable information that a CMDB would contain (Domain Notes OS app_owner applications business_unit host host_with_fqdn patch_cycle primary_contact secondary_contact serial server_model server_platform server_status server_type site)
Specifically I am looking to know all the hosts that are present in both the results of the search above, with the lookup table I already have, and pull in the status (retired or active), and possibly supplement the results with some of the additional information that might be valuable in the lookup table.

Basically inventory control

0 Karma
Reply

somesoni2
Revered Legend
‎10-13-2015 07:52 AM

If you're using dblookup using dbconnect try something like this (http://docs.splunk.com/Documentation/DBX/1.1.4/DeployDBX/Setupadatabaselookuptable#Create_a_lookup_b...)

| metadata index=* type=hosts | eval age = now()-lastTime | where age > (2*86400) | sort age d | convert ctime(lastTime) | fields age,host,lastTime | lookup local=1 yourdblookup host OUTPUT add Your Columns here | table age,host,lastTime Your Columns here

For regular csv lookup tables, pretty much the same.

| metadata index=* type=hosts | eval age = now()-lastTime | where age > (2*86400) | sort age d | convert ctime(lastTime) | fields age,host,lastTime | lookup  yourdblookup.csv host OUTPUT add Your Columns here | table age,host,lastTime Your Columns here
Reply

woodcock
Esteemed Legend
‎10-13-2015 08:02 AM

You also have to add | where isnotnull(SomeFieldInYourLookupFile) to strip out the hosts that are not found. This solution is better than mine because it does not use a subsearch.

0 Karma
Reply

woodcock
Esteemed Legend
‎10-13-2015 07:48 AM

Like this:

| metadata index=* type=hosts | eval age = now()-lastTime | where age > (2*86400) | sort age d | convert ctime(lastTime) | fields age,host,lastTime | eval type=metadata | append [|inputlookup max=0 YourLookup | eval type=lookup] | stats values(*) AS * | where mvcount(type)=2
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...