- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a lookup file of HostNames
| HostName |
| Host1 |
| Host2 |
| Host3 |
| Host4 |
| Host5 |
I would like to create a search to include events that are only from these hostnames listed in my lookup file. How do I do this.? Which "host" field matches the "Hostname" field in my lookup file.
An example would be, I am looking for which of these host that are sending windows security logs or not. I know all these systems should be, but some are not, and I want to know which ones are and which one are not using the lookup file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You do the opposite.
| inputlookup <lookup file> where NOT
[ search <base search>
| stats values(host) as HostName ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks all, I was able to accomplish what I needed using the following.
To get me the hostnames matching events from my lookup this worked.
<search> [| inputlookup <lookup file> | rename HostName as host | fields host | format]
To get "HostNames" of which no events were found meaning they are not sending anything. This worked...
| inputlookup <lookup file> where NOT
[ search <base search>
| stats values(host) as HostName ]Thanks again to all who help me with this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
<search> [| inputlookup <lookup file> | rename HostName as host | fields host | format]- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, this works perfect to get me the host matching events. So, now I need to see the "HostName" of which no events were found meaning they are not sending anything. Using a NOT it just gives me all host not on the lookup list. How can I get a list of the hostnames from the lookup with no recorded events at all.
<search> NOT [| inputlookup <lookup file> | rename HostName as host | fields host | format]Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How many hosts do you have in your lookup file?
Depending on volume, a typical way to find missing things is to do
<search>
``` Find all the hosts in your data ```
| stats count by host
``` These are 'type 0' ```
| eval type=0
``` Append all the required hosts as type 1```
| append [
| inputlookup lookup_file
| rename Hostname as host
| eval type=1
]
``` And find all cases where type is from lookup only ```
| stats min(type) as type by host
| where type=1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have about 30 host names on my lookup.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You do the opposite.
| inputlookup <lookup file> where NOT
[ search <base search>
| stats values(host) as HostName ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, that works perfect..
