How can Splunk loop through a list of numbers and ...

koshyk · ‎03-03-2020

We have got a problem to find a list of 500+ client servers (but less than 1000), which are missing DNS entries. the servers have a pattern luckily . Let's say for example, the server names are myhost001 to myhost999

So we want to loop through all those servers and do a dnslookup

|makeresults
| eval src_host_001="myhost001"
...
| eval src_host_999="myhost999"
| foreach src_host_* [eval src_host=<<FIELD>>]
|lookup dnslookup clienthost as src_host OUTPUTNEW clientip

Is there a way, we can loop using a pattern, so I don't want to use a lookup file or external csv?
Ideally the logic I'm trying to replicate is
for a range of myhost[0-9][0-9][0-9] , loop through each of them and do a dnslookup

So something like in sort of

for id in $( seq 1 999 ); do {
    src_host=myhost${id}
   ##|lookup dnslookup clienthost as ${src_host} OUTPUTNEW clientip
}

thanks in advance

to4kawa · ‎03-03-2020

| makeresults count=999
| streamstats count 
| eval count=printf("%03d",count) 
| eval src_host="myhost".count
|lookup dnslookup clienthost as src_host OUTPUTNEW clientip

Hi, folks
How about this?

manjunathmeti · ‎03-03-2020

Hi @koshyk,

Try this:

| makeresults count=999 
| eval number = 1 
| streamstats sum(number) as number 
| eval src_host=case(len(number)==1, "myhost00".number, len(number)==2, "myhost0".number, 1==1, "myhost".number)
| lookup dnslookup clienthost as src_host OUTPUTNEW clientip

richgalloway · ‎03-03-2020

TBH, this is probably easier to do with a bash script.

---
If this reply helps you, Karma would be appreciated.

koshyk · ‎03-03-2020

wished we had got access to backend 🙂

How can Splunk loop through a list of numbers and do an action against each of them?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms