Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Filtering events with inputlookup not working

bsizemore
Path Finder
‎06-30-2014 02:36 PM

Hello,

Here is an example of my csv - first three lines:

sourceHost
web-a01
a02

I have given the lookup global permissions, and when I execute "inputlookup os-seek.csv, I get all 133 results I expect. The following query is from the Splunk Deployment Manager. I want to filter for the 133 hosts that are in the csv. When I use the inputlookup where I think it should go, I get no results. When I use just one of the hosts from the csv, I do get results.

index="_internal" source="*metrics.lo*" group=tcpin_connections   
| eval sourceHost=if(isnull(hostname), sourceHost,hostname)   
| eval connectionType=case(fwdType=="uf","universal forwarder", fwdType=="lwf", "lightweight forwarder",fwdType=="full", "heavy forwarder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk forwarder", connectionType=="raw" or connectionType=="rawSSL","legacy forwarder")  
| eval build=if(isnull(build),"n/a",build)   
| eval version=if(isnull(version),"pre 4.2",version)   
| eval guid=if(isnull(guid),sourceHost,guid)   
| eval os=if(isnull(os),"n/a",os)  
| eval arch=if(isnull(arch),"n/a",arch)   
| fields connectionType sourceIp sourceHost sourcePort destPort kb tcp_eps tcp_Kprocessed tcp_KBps splunk_server build version os arch guid   
| eval lastReceived = case(kb>0, _time)   
| eval seconds=30   
| eval event_count= tcp_eps * seconds   
| bin _time span=10m   
| stats  first(sourceIp) as sourceIp first(connectionType) as connectionType first(sourcePort) as sourcePort first(build) as build first(version) as version first(os) as os first(arch) as arch max(_time) as lastConnected max(lastReceived) as lastReceived sum(kb) as kbTotal  sum(event_count) as events sum(seconds) as secs by sourceHost guid _time   
| eval  kb = kbTotal / 30   
| stats  first(sourceIp) as sourceIp first(connectionType) as connectionType first(sourcePort) as sourcePort first(build) as build first(version) as version first(os) as os first(arch) as arch max(lastConnected) as lastConnected max(lastReceived) as lastReceived sum(kb) as KB sum(events) as events sum(secs) as secs by sourceHost guid   | eval  avgEps=events/secs   
| addinfo  
| eval  status = if(isnull(KB) or lastConnected<(info_max_time-900),"missing",if(mystatus="quiet","quiet","active"))  
| search sourceHost=* search index="_internal" source="*metrics.lo*" group=tcpin_connections   
| eval sourceHost=if(isnull(hostname), sourceHost,hostname)   
| eval connectionType=case(fwdType=="uf","universal forwarder", fwdType=="lwf", "lightweight forwarder",fwdType=="full", "heavy forwarder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk forwarder", connectionType=="raw" or connectionType=="rawSSL","legacy forwarder")  
| eval build=if(isnull(build),"n/a",build)   
| eval version=if(isnull(version),"pre 4.2",version)   
| eval guid=if(isnull(guid),sourceHost,guid)   
| eval os=if(isnull(os),"n/a",os)  
| eval arch=if(isnull(arch),"n/a",arch)   
| fields connectionType sourceIp sourceHost sourcePort destPort kb tcp_eps tcp_Kprocessed tcp_KBps splunk_server build version os arch guid   
| eval lastReceived = case(kb>0, _time)   
| eval seconds=30   
| eval event_count= tcp_eps * seconds   
| bin _time span=10m   
| stats  first(sourceIp) as sourceIp first(connectionType) as connectionType first(sourcePort) as sourcePort first(build) as build first(version) as version first(os) as os first(arch) as arch max(_time) as lastConnected max(lastReceived) as lastReceived sum(kb) as kbTotal  sum(event_count) as events sum(seconds) as secs by sourceHost guid _time   
| eval  kb = kbTotal / 30   
| stats  first(sourceIp) as sourceIp first(connectionType) as connectionType first(sourcePort) as sourcePort first(build) as build first(version) as version first(os) as os first(arch) as arch max(lastConnected) as lastConnected max(lastReceived) as lastReceived sum(kb) as KB sum(events) as events sum(secs) as secs by sourceHost guid   | eval  avgEps=events/secs   
| addinfo  
| eval  status = if(isnull(KB) or lastConnected<(info_max_time-900),"missing",if(mystatus="quiet","quiet","active"))  
| search sourceHost=* [inputlookup os-seek.csv]
| table sourceHost, os

I put the inputlookup into the query like so:

| search sourceHost=* [inputlookup os-seek.csv]

I guess I'm using inputlookup wrong. How do I fix this?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bsizemore
Path Finder
‎06-30-2014 03:02 PM

Instead of fixing it I went with something less complicated:

index=_internal fwdType="*"
|dedup sourceHost
| eval sourceHost=if(isnull(hostname), sourceHost,hostname) 
| search sourceHost=* [inputlookup os-seek.csv] 
| table sourceHost, os

I get the events I want with the above.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bsizemore
Path Finder
‎06-30-2014 03:02 PM

Instead of fixing it I went with something less complicated:

index=_internal fwdType="*"
|dedup sourceHost
| eval sourceHost=if(isnull(hostname), sourceHost,hostname) 
| search sourceHost=* [inputlookup os-seek.csv] 
| table sourceHost, os

I get the events I want with the above.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...