- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I use a look up to check to see if I'm ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I use a look up to check to see if I'm getting logs from hosts that are in a CSV?
Dears,
I'm trying to use a lookup for Splunk to read a file and tell me if I'm collecting the logs to the host of that file.
What I need: Check if I'm getting logs from hosts that are in a CSV.
I am using the following query:
index = main OR index = client * | stats count by host | lookup client_sys hostname AS host
I also tried using the inputlookup command, but it did not work:
index = main OR index = client * NOT [| inputlookup client_sys.csv | fields host]
Is there any other way to do this?
Thanks a lot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[edit] You need to use append inputlookup to see hosts not reporting in. Also I recommend tstats since you only use host:
| tstats count AS tstats_cnt where index = main OR index = client* by host | append [| inputlookup client_sys | rename hostname AS host ] | stats first(tstats_cnt) AS tstats_cnt by host | search NOT tstats_cnt=* | stats count AS host_dc
Other notes: client* had a space between which didn't make sense so I combined them. client_sys should be a lookup definition properly defined with a connection to an uploaded lookup file ending in .csv Double check the field name hostname in the lookup file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@landen99 I tried first the search |tstats count where index = main OR index = client* by host and return me 286 results.
When I put the whole command return the same results.
Do I have to write something after OUTPUT?
Thanks for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
286 results have the lookup columns added. Do you want to see the count of hosts in the lookup not reporting in from your search time window? If so, instead of lookup, use | append [| inputlookup client_sys] and then uses a stats to bring the two together to show which are not shown, a filter on those not present in the data, and then a stats to count the ones not filtered.
| tstats count AS tstats_cnt where index = main OR index = client* by host | append [| inputlookup client_sys | rename hostname AS host ] | stats first(tstats_cnt) AS tstats_cnt by host | search NOT tstats_cnt=* | stats count AS host_dc
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
suppose hostname is column name in client_sys.csv.
can you try this:
| inputlookup client_sys.csv | rename hostname as host | table host |join type=outer host [| tstats count where index=* by host ] | fillnull count value="NA" | search count=NA
This query should give you list of hosts which do not have any data
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
better to avoid subsearches and replace inputlookup with lookup.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
