Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to add a variable from a lookup table to filter results?

Gggflyer
New Member
‎08-09-2023 12:38 PM

I am trying to do a tstats command to get the last logged time a server has sent logs.  My server list i want in the table is in a lookup csv.

The command i am using is 

Tstats latest(_time) as lastseen where (index=windows) by host | convert ctime(lastseen)

The "where" clause i would like to be something like "where the server name is on the lookup table"

 

Basically trying to filter the output of the query to just any server i have in the lookup table

Labels (2)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-09-2023 12:54 PM

Use a subsearch.

| tstats latest(_time) as lastseen where (index=windows) [ | inputlookup hostlist.csv | fields host | format ] by host 
| convert ctime(lastseen)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...