Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a search where if results under "query" field matches anything under hostname, then alert or show results?

YangThomas
New Member
‎12-04-2022 09:50 AM

Currently using splunkes' managed lookup table called hosts. There's a field too called hostname within the file.

I'm trying to create a search where if results under "query" field matches anything under hostname, then alert or show results.

here's what I have so far..

index=opendns
[ | inputlookup hosts
| search hostname
| table hostname query]

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-04-2022 10:13 AM

Hi @YangThomas,

in a subsearch you have to use the exact fieldnames of the main search, in other words i you want to match the hostname field (in the lookup) with the host field in the search, you have to rename it.

I don't understand what you want to match with the "query" field, also because query is a special name in SPL, anyway if query is a field both in the lookup and the main search, you could try something like this:

index=opendns
[ | inputlookup hosts
| rename hostname AS host
| table host query]

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...