Splunk Search

Efficient Lookup Table Search for each Field, Combine Results?

mlorrette
Path Finder

I'd like to run a search for each host in a list but only return the top result for each host. In a search, it could look something like:

host=Server-01 searchterms | head 1 | table interestingValue
| append
[ host=Server-02 searchterms | head 1 | table interestingValue]
| append
[ host=Server-nn searchterms | head 1 | table interestingValue]

I thought of creating a lookup table "Server_Names.csv" and somewhat loop through it? Use a macro? Unsure.

hostName
Server-01
Server-02
Server-nn
0 Karma
1 Solution

pradeepkumarg
Influencer
host=Server-01 OR host=Server-01 OR host=Server-nn searchterms | dedup host | table host  interestingValue 

View solution in original post

xpac
SplunkTrust
SplunkTrust

Try this:

index=whatever (host=Server-01 OR host=Server-02 OR ...) searchterms
| stats latest(interestingValue) by host

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

FrankVl
Ultra Champion

And then you could indeed put the host filter part into a macro for easier maintenance and reuse across searches. Or leave it out altogether if you want to look at all your hosts anyway.

mlorrette
Path Finder

@xpac
Upvoted. I've added a lookup table:

index=wineventlog sourcetype="WinEventLog:Security"
[| inputlookup serverList.csv | rename Name as host | fields host]
| dedup host | table host 

I now need to figure out how to display servers that are part of serverList.csv but don't appear in the search. Added a second lookup but it didn't work. Separate question though..

xpac
SplunkTrust
SplunkTrust

Are searchterms and interestingValue the same for every host, or are they different each time?

0 Karma

mlorrette
Path Finder

@xpac Yes- they searchterms and interestingValue are the same.. are you thinking of a macro?

pradeepkumarg
Influencer
host=Server-01 OR host=Server-01 OR host=Server-nn searchterms | dedup host | table host  interestingValue 

View solution in original post

mlorrette
Path Finder

Worked like a charm!

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!