Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find missing hosts after referencing a lookup file.

jason_hotchkiss
Communicator
‎03-10-2023 06:13 AM

Hello I have the following search which produces  statistics(746) in Splunk:

 

index=my_index sourcetype=my_st id=100 host!=10.* earliest=-1d@d
| stats values(repot) as repot dc(repot) as repost_count values(ip) as ip_address dc(ip) as ip_count by host
|table host ip_count ip_address repot_count repot

 

  
I am then using a lookup file to filter out unwanted hosts from the above search (which produces statitics(676) in Splunk.

 

| search
 [ |inputlookup my_host_list
   |table host ip_address ]
   |dedup host
   |table host ip_count ip_address repot_count repot

 


How would I determine the host names of the 70 missing hosts from the my_host_list lookup?

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-10-2023 07:08 AM

You're looking for hosts not in the lookup file so use the NOT keyword in the search.

| search NOT
 [ |inputlookup my_host_list
   |table host ip_address ]
   |dedup host
   |table host ip_count ip_address repot_count repot

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-10-2023 08:04 AM

Hi @jason_hotchkiss,

you could run something like this:

index=my_index sourcetype=my_st id=100 host!=10.* earliest=-1d@d
| stats 
   values(repot) as repot 
   dc(repot) as repost_count 
   values(ip) as ip_address 
   dc(ip) as ip_count 
   count
   BY host
| append [ |inputlookup my_host_list
   | eval count=0
   | fields host ip_address count ]
| stats 
   values(repot) as repot 
   dc(repot) as repost_count 
   values(ip) as ip_address 
   dc(ip) as ip_count 
   sum(count) As total
   BY host
| eval status=if(total=0,"missing","present"
| table host ip_count ip_address repot_count repot status

Ciao.

Giuseppe

 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-10-2023 07:08 AM

You're looking for hosts not in the lookup file so use the NOT keyword in the search.

| search NOT
 [ |inputlookup my_host_list
   |table host ip_address ]
   |dedup host
   |table host ip_count ip_address repot_count repot

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

jason_hotchkiss
Communicator
‎03-10-2023 07:41 AM

@richgalloway - thank you.  I think I have been staring at this screen too long....

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...