Hello All

I originally asked a similar question

https://answers.splunk.com/answers/682992/how-do-i-use-a-comparison-search-to-find-all-devic.html

It did seem to work but, it now seems not to be working. So here is what I am doing.

• Get a list of all hosts and IP in our DMZs that are being report live/active via Qualys scan of our networks
• I take results from Qualys scan and place into a lookup file called dmzhosts.csv
• I then take the dmzhosts.csv and run a search for hostname or IP address against index=. I am doing it this way as due to the fact that not every device that is reporting into Splunk has a universal forwarder. I use the following search: `index= [ inputlookup dmzhosts.csv | table IP | rename IP AS host | format] OR [ inputlookup dmzhosts.csv | table hostname | rename hostname AS host | format] | eval host=upper(host) | stats count by host | append [inputlookup dmzhosts.csv | eval count=0, hostname=upper(hostname)|rename hostname as host | fields host, count] | stats sum(count) AS Total by host | where Total=0 | outputlookup missingdmzhosts.csv`

The search is only run over for the last 24 hrs and is ran every morning at 6am. My issue is that I have actually setup and verified manually several hosts that were missing, these systems are appliances and can only send syslog, but again I have verified that I see their logs in Splunk. But my search still shows them as missing dmz hosts.

any help would be appreciated.

thanks
ed