Splunk Search

How can I check for events from a host in a list of "critical hosts"?

Legend

I have a list of hosts; I need to see if these hosts appear anywhere in my Splunked events. It is a very long list, so I don't want to type a search like this:

host=a.domain.com OR host=b.xyz.com OR ....

Is there a better way?

[I feel certain that this question has been asked and answered before, many times - but I simply could not find it in Answers. My apologies if it duplicates.]

0 Karma

Legend

One way to do this would be to use a lookup table. A simple lookup table is a CSV file that you upload into Splunk; you can re-upload it if you need to change the list. In this case, I would probably set up the lookup table something like this

fqdn,name,domain
hostA.yahoo.com,hostA,yahoo.com
hostB.domain.com.hostB,domain.com
hostC.zzz.com,hostC,zzz.com

(or whatever columns you need). Upload the file into Splunk and make it a lookup. Here is a tutorial: Enabling Field Lookups
Note that you do not need to make the lookup automatic. However, I set the Advanced Options so that the min and max are both = 1 and the Default matches = "Unknown" - it makes some searches easier...

For this example, assume the lookup is named "host_lookup." Now, if you have less than 100 hosts in your list, you can simply do this for your search

index=* [ inputlookup host_lookup | fields fqdn | rename fqdn as search ]

This will search for the FQDNs wherever they may appear in the raw data; the subsearch will return

 "hostA.yahoo.com" OR "hostB.domain.com" OR "hostC.zzz.com"

which will be added to the base search and then executed. This is great, but it is inefficient. First, limit the search to particular indexes and sourcetypes if you can; in fact, the more information you put in the search, the faster it should be. Don't just use index=* unless you truly must search across all data sources.

But if you have many hosts in your list, you may need to improve the performance of your search by using lookups directly rather than a subsearch. To make this work, you will need to know the fields that could contain the hostname. For example, if your data has a field called "servername," you could perform the following search

yoursearchhere
| lookup host_lookup fqdn as servername OUTPUT name
| where name!="Unknown"

This search leverages the "Default matches" setting for the lookup; "Unknown" is returned if no match was found in the lookup table. So eliminating the "Unknowns" will provide a list of events that match the fqdn.

Of course, you can use more complicated searches, and more complicated lookups, to extend this idea. Also, you may want to take control of how the subsearch returns its results by using either the format or return command.

More About Subsearches