Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find events for only host names listed in my lookup file?

adamscaa1
Explorer
‎03-14-2023 10:15 AM

I have a lookup file of HostNames

HostName
Host1
Host2
Host3
Host4
Host5

 

I would like to create a search to include events that are only from these hostnames listed in my lookup file.  How do I do this.? Which "host" field matches the "Hostname" field in my lookup file.

An example would be, I am looking for which of these host that are sending windows security logs or not. I know all these systems should be, but some are not, and I want to know which ones are and which one are not using the lookup file.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎03-14-2023 10:20 PM

You do the opposite.

 

| inputlookup <lookup file> where NOT
    [ search <base search>
    | stats values(host) as HostName ]

 

View solution in original post

Reply
Solved! Jump to solution

adamscaa1
Explorer
‎03-15-2023 07:05 AM

Thanks all, I was able to accomplish what I needed using the following.

To get me the hostnames matching events from my lookup this worked.

<search> [| inputlookup <lookup file> | rename HostName as host | fields host | format]

To get "HostNames" of which no events were found meaning they are not sending anything. This worked...

| inputlookup <lookup file> where NOT
    [ search <base search>
    | stats values(host) as HostName ]

Thanks again to all who help me with this.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-14-2023 10:31 AM 
<search> [| inputlookup <lookup file> | rename HostName as host | fields host | format]
Reply
Solved! Jump to solution

adamscaa1
Explorer
‎03-14-2023 11:57 AM

Thank you, this works perfect to get me the host matching events. So, now I need to see the "HostName" of which no events were found meaning they are not sending anything. Using a NOT it just gives me all host not on the lookup list. How can I get a list of the hostnames from the lookup with no recorded events at all.

<search> NOT [| inputlookup <lookup file> | rename HostName as host | fields host | format]

Thanks,

 

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎03-14-2023 11:30 PM

How many hosts do you have in your lookup file? 

Depending on volume, a typical way to find missing things is to do

<search>
``` Find all the hosts in your data ```
| stats count by host
``` These are 'type 0' ```
| eval type=0
``` Append all the required hosts as type 1```
| append [
  | inputlookup lookup_file
  | rename Hostname as host
  | eval type=1
]
``` And find all cases where type is from lookup only ```
| stats min(type) as type by host
| where type=1

 

Reply
Solved! Jump to solution

adamscaa1
Explorer
‎03-15-2023 06:29 AM

I have about 30 host names on my lookup.

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎03-14-2023 10:20 PM

You do the opposite.

 

| inputlookup <lookup file> where NOT
    [ search <base search>
    | stats values(host) as HostName ]

 

Reply
Solved! Jump to solution

adamscaa1
Explorer
‎03-15-2023 06:56 AM

Thanks, that works perfect..

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...