Splunk Search

Get the recent event date from a .csv using inputlookup at the same time append a wildcard into the host.

ephraimjoseph
New Member

Currently, this is my SPL query and it just displays different results

this is my hostname_list.csv

host
hostname_a*
hostname_b*
hostname_c*



| inputlookup hostname_list.csv
| fields host
| join type=inner host [search index=unix | stats latest(_time) as latest_time, latest(source) as source, latest(_raw) as event by host | convert ctime(latest_time) as latest_time] | table host, latest_time, source, event

and it displays like this one:

hostlatest_timesourceevent
hostname_a*   
hostname_b*   
hostname_c*   

I assume that the wildcard "*" is acting like a literal string.

I'm expecting results like this.

hostlatest_timesourceevent
hostname_a12testtesttest
hostname_a23testtesttest
hostname_c123testtesttest



please help thanks!

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=unix [|inputlookup hostname_list.csv]
| stats latest(_time) as latest_time, latest(source) as source, latest(_raw) as event by host | convert ctime(latest_time) as latest_time | table host, latest_time, source, event
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...