So I have a lookup file with a complete list of servers and their details like version, owner etc, and an index my_index that gets logs from servers.
This is the search I am using right now
| inputlookup my_lookup.csv
| join type=left server_name
[ | tstats count where index=my_index by host
| eval reporting="yes"]
| eval reporting=if(isnull(reporting),"No","Yes")
I want to validate the list by referencing it against the tstats reports and show the whole list of the lookupfile.
What I want to know is if this search is accurate, will the subsearch truncate results giving me inaccurate output, is there any alternate way to write this search, Please help.
| tstats ...
| inputlookup append=t ...
| stats values(*) as * by host
Hi @PotatoDataUser ,
try using the lookup command (https://docs.splunk.com/Documentation/Splunk/9.3.1/SearchReference/Lookup)
| tstats count where index=my_index by host
| lookup my_lookup.csv server_name
Ciao.
Giuseppe