Splunk Search

How do I write this search to find these 2 fields with the lookup hostname?

RanjiRaje
Explorer

Hi, I need your suggestion here. Please guide me

I have a lookup file with list of hosts. I need to compare it with splunk data and populate the matching count.

Query: 

index=idxname (sourcetype=sourceA desc=windows) OR (sourcetype=sourceB)
| fields device.hostname,event.HostName
| rename device.hostname as hostfield, event.HostName as hostfield
| lookup lookupfilename fieldname as hostfield OUTPUTNEW Platform
| fields hostfield,Platform
| stats dc(hostfield) as "totalcount" by Platform



I have 2 different sourcetype under the same index. sourceA has a field "device.hostname" and sourceB has a fields "event.HostName".

[  lookup file --> hostfield: AA,BB,CC

sourceA,device.hostname --> AA,XX,YY

sourceB,event.HostName --> CC,PP,KK

my output count should be 2    ]

If any of these 2 fields value is matching with the lookup hostname, then it should be considered.
I tried rename command. Please provide your inputs..

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @RanjiRaje,

pease try this:

index=idxname (sourcetype=sourceA desc=windows) OR (sourcetype=sourceB)
| rename device.hostname AS hostname event.HostName AS HostName
| eval hostfield=coalesce(hostname,HostName)
| lookup lookupfilename fieldname as hostfield OUTPUTNEW Platform
| stats dc(hostfield) AS "totalcount" BY Platform

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @RanjiRaje,

instead rename, you could use eval coalesce to have one field called hostname:

index=idxname (sourcetype=sourceA desc=windows) OR (sourcetype=sourceB)
| eval hostfield=coalesce(device.hostname,event.HostName)
| lookup lookupfilename fieldname as hostfield OUTPUTNEW Platform
| stats dc(hostfield) AS "totalcount" BY Platform

Ciao.

Giuseppe

0 Karma

RanjiRaje
Explorer

Hi Sir,

I tried with eval - coalesce command too. But it didnt give the output.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @RanjiRaje,

pease try this:

index=idxname (sourcetype=sourceA desc=windows) OR (sourcetype=sourceB)
| rename device.hostname AS hostname event.HostName AS HostName
| eval hostfield=coalesce(hostname,HostName)
| lookup lookupfilename fieldname as hostfield OUTPUTNEW Platform
| stats dc(hostfield) AS "totalcount" BY Platform

Ciao.

Giuseppe

0 Karma

RanjiRaje
Explorer

Thanks sir for a quick response. renamed and tried using coalesce. It worked !!!!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @RanjiRaje,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...