Splunk Search

How to create a search with dynamic changing host values


index=wineventlog sourcetype=WinEventLog* earliest=-2d host=a OR host=b OR host=c OR host=d OR host=e OR host=f host=h _index_earliest=1533053889 _index_latest=1533053914
| sort 0 +_indextime
| eval message=_raw
| table _raw,_indextime,host

We have a lookup table which we update once every month which has the hosts .Can we write a write a query which will take the hosts data from the lookup table

0 Karma


Use a subsearch to feed the list of hosts to the main search:

index=wineventlog sourcetype=WinEventLog* earliest=-2d  [ | inputlookup windows_server | fields host ]  | sort 0 +_indextime 
| eval message=_raw | table _raw,_indextime,host
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!