Get the recent event date from a .csv using inputl...

ephraimjoseph · ‎05-15-2024

Currently, this is my SPL query and it just displays different results

this is my hostname_list.csv

host

hostname_a*

hostname_b*

hostname_c*

| inputlookup hostname_list.csv
| fields host
| join type=inner host [search index=unix | stats latest(_time) as latest_time, latest(source) as source, latest(_raw) as event by host | convert ctime(latest_time) as latest_time] | table host, latest_time, source, event

and it displays like this one:

host	latest_time	source	event
hostname_a*
hostname_b*
hostname_c*

I assume that the wildcard "*" is acting like a literal string.

I'm expecting results like this.

host	latest_time	source	event
hostname_a12	test	test	test
hostname_a23	test	test	test
hostname_c123	test	test	test

please help thanks!

ITWhisperer · ‎05-16-2024

Try something like this

index=unix [|inputlookup hostname_list.csv]
| stats latest(_time) as latest_time, latest(source) as source, latest(_raw) as event by host | convert ctime(latest_time) as latest_time | table host, latest_time, source, event

Get the recent event date from a .csv using inputlookup at the same time append a wildcard into the host.

lookup

Your Guide to Splunk Digital Experience Monitoring

Data Management Digest – November 2025

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join the Conversation

Get the recent event date from a .csv using inputlookup at the same time append a wildcard into the host.

lookup

Your Guide to Splunk Digital Experience Monitoring

Data Management Digest – November 2025

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA