Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to match a lookup and a search over an index?

pstamati
Path Finder
‎11-13-2019 10:25 AM

I have a lookup table with all active server names and I want to validate which servers on this lists are running a specific agent. I have what servers with this agent status on a different index.

The desired output would be to use the lookup table as input and use the common field dns Name to see which entries in the lookup as a match in the index. Is there any way to do this?
Initially I though creating another lookup with the results of the search in this index and compared then lookup and lookup, but was wondering if there is any way to avoid creating the 2nd lookup table.

Thanks in advance for any help you can provide.

0 Karma
Reply

woodcock
Esteemed Legend
‎11-14-2019 05:33 PM

Like this:

 index=foo [ | inputlookup servers.csv | fields dnsName | format ]
| eval which="DATA"
| inputlookup append=t servers.csv
| eval which=coalesce(which, "LOOKUP")
| stats values(*) AS * dc(which) AS which_count BY dnsName

Now, those which have which_count==2 are in both and those which have which_count==1 are in one but not the other, as noted by the value of which.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-13-2019 10:42 AM

You should be able to do that with inputlookup in a subsearch.

index=foo [ | inputlookup servers.csv | fields dnsName | format ]
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

pstamati
Path Finder
‎11-13-2019 11:08 AM

Hey, thanks for your reply. Let's say my universe of devices is in the lookup, and then a portion of those servers are running an specific agent that is sending its status to Index=agent_status, so I want to run a report to understand from the population of servers in the lookup table, which of those have the agent and in what status.

I tried what you suggested, although I'm not sure is doing what I'm looking for,

0 Karma
Reply

pstamati
Path Finder
‎11-13-2019 11:11 AM

For instance how can you validate which server names are in the lookup but not in the index?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-13-2019 01:12 PM

My answer returns events from the 'foo' index that have a dnsName value present in the servers.csv lookup file.
To find servers not in the index, use NOT.

index=agent_status NOT [ | inputlookup servers.csv | fields dnsName | format ]

I don't have enough information to tell you how to get the specific agent information, but I hope this gets you headed in the right direction.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...