Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search a list of names and compare it to a different list of names?

atebysandwich
Path Finder
‎02-10-2023 09:26 AM

I have two lists: one has a list of hostnames and another has a list of prefixes to hostnames. I would like to create a search with an output showing hosts that do not have a name containing  any of the prefixes in the second list. 

Example: 

Inputlookup                                         Lookup

Hostname                                             Hostname Prefix

appletown                                             town
treeville                                                   tree

I would like to create a search showing a list of hostnames from the first list that do not contain any of the hostnames in the second. 

Labels (1)
Labels
0 Karma
Reply

andrew_nelson
Communicator
‎02-10-2023 10:05 AM

You could use wildcard matching on the prefix lookup. 

Create your prefix lookup like this : 
prefix, match_type
*tree*, Tree
*town*, Town 

Then create a lookup definition for the prefix lookup with the additional settings WILDCARD(prefix)

You can then run a search like   

|inputlookup hostsfile 
| lookup prefix_lookup_definition prefix as Hostname



0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...