Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to return a list of hosts from a lookup table, but not in events?

chrisfrigo
Path Finder
‎06-17-2015 10:30 PM

Hi,

I'm using a lookup table with approx 107,000 lines and 6MB in size. Trying to display a list of hosts which are in a lookup table, but not in the Splunk events. The below search seems to work, but not effectively. The results display 96,648. I'm expecting more around 50,000. When I search a host which is in the results, it is contained in the Splunk events which validates it's not effective. Any idea whether there are limits on size of lookup tables? 

| inputlookup workstations | rename fielda AS fieldb | dedup fieldb | search NOT [search index=index-name  | dedup fieldb | fields fieldb]
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisfrigo
Path Finder
‎06-18-2015 09:48 PM

Ended up being subsearch limit to 10500 lines. updated the maxout and now working.

http://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/Limitsconf

View solution in original post

0 Karma
Reply
Solved! Jump to solution

vganjare
Builder
‎06-18-2015 10:40 PM

You can try using multisearch command. e.g.

| multisearch [| inputlookup workstations | rename fielda AS fieldb | dedup fieldb | eval LOOKUP_CHECK="YES"] [search index=index-name  | dedup fieldb | fields fieldb | eval INDEX_CHECK="YES"] | stats values(LOOKUP_CHECK) as LOOKUP_CHECK, values(INDEX_CHECK) as INDEX_CHECK by fieldb | fillnull values="NULL" LOOKUP_CHECK | search LOOKUP_CHECK="NULL"

Thanks!!

0 Karma
Reply
Solved! Jump to solution
Solution

chrisfrigo
Path Finder
‎06-18-2015 09:48 PM

Ended up being subsearch limit to 10500 lines. updated the maxout and now working.

http://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/Limitsconf

0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎06-17-2015 11:09 PM

What with this?

index=index-name | dedup fieldb | fields fieldb | search NOT [ inputlookup workstations | rename fielda AS fieldb | dedup fieldb fields fieldb]

0 Karma
Reply
Solved! Jump to solution

chrisfrigo
Path Finder
‎06-18-2015 12:22 AM

I see what your saying, the results should be minimal. but they are not matching. of the total 86,000 events, there are 76,000 display.

I will try reduce the CSV size

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...