Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to table list of values from lookup NOT found in Splunk?

_gkollias
Builder
‎08-03-2015 06:54 AM

I have a lookup that lists x number of values. I would like to be able to discover how many of those aren't actually logged in Splunk and table them. Initially, I tried something like this:

inputlookup lookup_values.csv  NOT [search index=contract_gateway sourcetype=esb_audit bp_bp_name=* | fields *]
| table values
| dedup values

I am not getting any results, but I know I am missing results by the count of results I see when I pull all data that I can find in Splunk for that list of values.

Any insights on query enhancements would be greatly appreciated.

Thanks in Advance

Tags (3)
0 Karma
Reply

woodcock
Esteemed Legend
‎08-03-2015 07:14 AM

Let us assume both sets of data share a field called host, then do it like this:

index=contract_gateway sourcetype=esb_audit bp_bp_name=* | eval type=events
| appendpipe [|inputlookup lookup_values.csv | eval type=lookup]
| stats dc(type) AS numTypes values(*) AS * BY host
| where numTypes=1 AND type=events
Reply

_gkollias
Builder
‎08-03-2015 07:48 AM

Thanks, Woodcock

I attempted to run the search, however it's running extremely slow and I'm afraid of sucking the memory out of the indexer :). The values I am looking for are spread across a 120 day time range, so essentially I am running the query over "All time".

I'll try and come up with something similar to help with its performance.

0 Karma
Reply

woodcock
Esteemed Legend
‎08-03-2015 07:54 AM

I don't think there is much opportunity for optimization, unfortunately, but this approach should definitely work.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...