Splunk Search

How to pass the value in main query from the lookup file in a list of servers?

Builder

I have a list of server in lookup file and I want to create an alert.
The list of server names in the lookup file(around 90 servers) and I need to pass the value in the main query from the lookup file.

The column server has a value with around 90servers so I need to pass the 90 servers values in the search.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

index=foo [| inputlookup yourlookup.csv OUTPUTNEW hostFieldFromLookup AS host | fields host | format host]

Which will turn into

index=foo (host=hostname1 OR host=hostname2 OR ...)

View solution in original post

0 Karma

Super Champion

if lookup file is already created in splunk then use

...|inputlookup <filename>
0 Karma

Builder

it will not work.

i need to read the lookup file and pass the value to sub-search

0 Karma

Super Champion

have you created lookup file in splunk? what is the name of lookup file?

0 Karma

Builder

i am using below search

|inputlookup productionsites where Type="Data"|fields Type|format|table search|mvexpand search | stats count by search|rename search as R|map search="search index="perfmo" host=\"$R$\" source="Perfmon" sourcetype="PhysicalDisk" counter="sec/Read" (instance="G:" OR instance="J:")"

0 Karma

Super Champion

can you share sample values of lookup

|inputlookup production_sites

check if this above query gives output

|inputlookup production_sites where Type="Data"|fields Type

this query only give Type="data" as field I don't hink if thats you are looking for
as fields command limits the output to show only specific fields in this case as Type

0 Karma

SplunkTrust
SplunkTrust

index=foo [| inputlookup yourlookup.csv OUTPUTNEW hostFieldFromLookup AS host | fields host | format host]

Which will turn into

index=foo (host=hostname1 OR host=hostname2 OR ...)

View solution in original post

0 Karma

Builder

i need to get a data from lookup file and have to pass it in same query of the sub search

0 Karma