Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find events for only host names listed in my lookup file?

adamscaa1
Explorer
‎03-14-2023 10:15 AM

I have a lookup file of HostNames

HostName
Host1
Host2
Host3
Host4
Host5

 

I would like to create a search to include events that are only from these hostnames listed in my lookup file.  How do I do this.? Which "host" field matches the "Hostname" field in my lookup file.

An example would be, I am looking for which of these host that are sending windows security logs or not. I know all these systems should be, but some are not, and I want to know which ones are and which one are not using the lookup file.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎03-14-2023 10:20 PM

You do the opposite.

 

| inputlookup <lookup file> where NOT
    [ search <base search>
    | stats values(host) as HostName ]

 

View solution in original post

Reply
Solved! Jump to solution

adamscaa1
Explorer
‎03-15-2023 07:05 AM

Thanks all, I was able to accomplish what I needed using the following.

To get me the hostnames matching events from my lookup this worked.

<search> [| inputlookup <lookup file> | rename HostName as host | fields host | format]

To get "HostNames" of which no events were found meaning they are not sending anything. This worked...

| inputlookup <lookup file> where NOT
    [ search <base search>
    | stats values(host) as HostName ]

Thanks again to all who help me with this.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-14-2023 10:31 AM 
<search> [| inputlookup <lookup file> | rename HostName as host | fields host | format]
Reply
Solved! Jump to solution

adamscaa1
Explorer
‎03-14-2023 11:57 AM

Thank you, this works perfect to get me the host matching events. So, now I need to see the "HostName" of which no events were found meaning they are not sending anything. Using a NOT it just gives me all host not on the lookup list. How can I get a list of the hostnames from the lookup with no recorded events at all.

<search> NOT [| inputlookup <lookup file> | rename HostName as host | fields host | format]

Thanks,

 

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎03-14-2023 11:30 PM

How many hosts do you have in your lookup file? 

Depending on volume, a typical way to find missing things is to do

<search>
``` Find all the hosts in your data ```
| stats count by host
``` These are 'type 0' ```
| eval type=0
``` Append all the required hosts as type 1```
| append [
  | inputlookup lookup_file
  | rename Hostname as host
  | eval type=1
]
``` And find all cases where type is from lookup only ```
| stats min(type) as type by host
| where type=1

 

Reply
Solved! Jump to solution

adamscaa1
Explorer
‎03-15-2023 06:29 AM

I have about 30 host names on my lookup.

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎03-14-2023 10:20 PM

You do the opposite.

 

| inputlookup <lookup file> where NOT
    [ search <base search>
    | stats values(host) as HostName ]

 

Reply
Solved! Jump to solution

adamscaa1
Explorer
‎03-15-2023 06:56 AM

Thanks, that works perfect..

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...