Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to show matched and unmatched lookup results?

vinit_masaun
Explorer
‎02-23-2023 04:49 PM

Hello,

I have the following query that shows the results of all the values from the splunk events that matched with the values in the lookup table; however I would also like to display those values in the lookup table that are not present in the splunk events:

| metadata type=hosts index=_internal
| rex field=host "(?<host>.+)--.+)"
| lookup mylookup Name as host OUTPUT Name "IP Address" as IP Classification "Used for" as used_for
| fillnull value="No match"
| search Classification=Production used_for!=*Citrix* used_for!=*Virtualization*
| stats c by host,Name,IP,Classification,used_for
| fields - c

How can I show both matched and unmatched values?

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-23-2023 06:15 PM

This is a classic "missing hosts" problem, which simply involves appending the lookup at the end and then aggregating to remove the duplicates, i.e.

| metadata type=hosts index=_internal
| rex field=host "(?<host>.+)--.+)"
| lookup mylookup Name as host OUTPUT Name "IP Address" as IP Classification "Used for" as used_for
| fillnull value="No match"
| search Classification=Production used_for!=*Citrix* used_for!=*Virtualization*
| stats c by host,Name,IP,Classification,used_for
| fields - c
| append [
  | inputlookup mylookup 
  | fields Name "IP Address" as IP Classification "Used for" as used_for
]
| stats first(*) as * by Name IP

add as many fields to the by clause as needed

0 Karma
Reply

vinit_masaun
Explorer
‎02-23-2023 06:35 PM

I tried the above append command with my original query but still got the same results.  It's only showing values that matched.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-23-2023 06:45 PM

Please show what you tried.

0 Karma
Reply

vinit_masaun
Explorer
‎02-23-2023 06:50 PM

| metadata type=hosts index=_internal
| rex field=host "(?<host>.+)(--.+|---.+)"
| lookup mylookup Name as host OUTPUT Name "IP Address" as IP Classification "Used for" as used_for | fill null value="No match"| search Classification=Production used_for!=*Citrix* used_for!=*Virtualization*
| stats c by host,Name,IP,Classification,used_for
| fields - c
| append
[| inputlookup mylookup
| fields Name "IP Address" as IP Classification "Used for" as used_for ]
| stats first(*) as * by Name IP

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-23-2023 09:56 PM

My mistake - I copy/pasted your renames but that doesn't work as fields statement - please use this append

| append [
  | inputlookup mylookup 
  | fields Name "IP Address" Classification "Used for"
  | rename "IP Address" as IP "Used for" as used_for
]
0 Karma
Reply

vinit_masaun
Explorer
‎02-23-2023 10:24 PM

Thank You!  Your example didn't quite work as is but it pointed me in the right direction and the following query is what ended up working for my use case:

| metadata type=hosts index=_internal
| rex field=host "(?<host>.+)(--.+|---.+)"
| lookup mylookup Name as host OUTPUT Name "IP Address" as IP Classification "Used for" as used_for
| stats c by host,Name,IP,Classification,used_for
| fields - c
| append
[| inputlookup mylookup
| fields Name "IP Address" Classification "Used for"
| rename "IP Address" as IP "Used for" as used_for ]
| fillnull value="Missing in Splunk" host
| search Classification=Production used_for!=*Citrix* used_for!=*Virtualization* used_for!="ESX Server"
| stats first(*) as * by Name,IP,Classification,used_for
| table host,Name,IP,Classification,used_for

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...