Splunk Search

How to match a lookup and a search over an index?

Path Finder

I have a lookup table with all active server names and I want to validate which servers on this lists are running a specific agent. I have what servers with this agent status on a different index.

The desired output would be to use the lookup table as input and use the common field dns Name to see which entries in the lookup as a match in the index. Is there any way to do this?
Initially I though creating another lookup with the results of the search in this index and compared then lookup and lookup, but was wondering if there is any way to avoid creating the 2nd lookup table.

Thanks in advance for any help you can provide.

0 Karma

Esteemed Legend

Like this:

 index=foo [ | inputlookup servers.csv | fields dnsName | format ]
| eval which="DATA"
| inputlookup append=t servers.csv
| eval which=coalesce(which, "LOOKUP")
| stats values(*) AS * dc(which) AS which_count BY dnsName

Now, those which have which_count==2 are in both and those which have which_count==1 are in one but not the other, as noted by the value of which.

0 Karma

SplunkTrust
SplunkTrust

You should be able to do that with inputlookup in a subsearch.

index=foo [ | inputlookup servers.csv | fields dnsName | format ]
---
If this reply helps you, an upvote would be appreciated.
0 Karma

Path Finder

Hey, thanks for your reply. Let's say my universe of devices is in the lookup, and then a portion of those servers are running an specific agent that is sending its status to Index=agent_status, so I want to run a report to understand from the population of servers in the lookup table, which of those have the agent and in what status.

I tried what you suggested, although I'm not sure is doing what I'm looking for,

0 Karma

Path Finder

For instance how can you validate which server names are in the lookup but not in the index?

0 Karma

SplunkTrust
SplunkTrust

My answer returns events from the 'foo' index that have a dnsName value present in the servers.csv lookup file.
To find servers not in the index, use NOT.

index=agent_status NOT [ | inputlookup servers.csv | fields dnsName | format ]

I don't have enough information to tell you how to get the specific agent information, but I hope this gets you headed in the right direction.

---
If this reply helps you, an upvote would be appreciated.
0 Karma