Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use inputlookup to check if hosts in a CSV have been sending events to Splunk, then use eval to output "yes" or "no"?

sbattista09
Contributor
‎07-06-2016 07:05 AM

I want to inputlookup a CSV and search the hosts in the CSV to see if they have been reporting into Splunk, and then table a report that will have the host names from the CSV with an added column that displays "yes" or "no". Not sure how I can use the eval statement to do something like eval if count is 0=no if >0=yes

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎07-06-2016 07:13 AM

Something like this would get you most of the way there. I think. This would display a table of the host, the last time it reported, and then if it is reporting or not. 

| inputlookup servers.csv |  join type=left host [|metadata type=hosts ] | table host lastTime | eval reporting=case(isnull(lastTime), "no", 1=1, "yes") |  eval time=strftime(lastTime,"%b %d %T %Y %Z")  | fields - lastTime

View solution in original post

Reply
Solved! Jump to solution

Stevelim
Communicator
‎07-06-2016 07:18 AM

You might want to use a case statement instead:

input Lookup search | eval Results =case(count == 0, "Yes", count >= 0, "No")

You can also refer to this quick reference:

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-06-2016 07:14 AM

Try this:

| inputlookup HostList.csv 
| eval count=0 
| eval host=upper(host) 
| append [ 
|metasearch index=main latest=-7d
| eval host=upper(host) 
| stats count by host
] 
| stats sum(count) AS Total by host 
| where Total=0
| table host

after you can use eval to show the status or rangemap (see the dashboard example "Table Iconset (Rangemap)" in "Splunk 6.x Dashboard Examples".

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎07-06-2016 07:13 AM

Something like this would get you most of the way there. I think. This would display a table of the host, the last time it reported, and then if it is reporting or not. 

| inputlookup servers.csv |  join type=left host [|metadata type=hosts ] | table host lastTime | eval reporting=case(isnull(lastTime), "no", 1=1, "yes") |  eval time=strftime(lastTime,"%b %d %T %Y %Z")  | fields - lastTime
Reply
Solved! Jump to solution

sbattista09
Contributor
‎07-06-2016 11:27 AM

is there a way to format the lastTime field so that it is more human readable?

0 Karma
Reply
Solved! Jump to solution

ryanoconnor
Builder
‎07-06-2016 11:41 AM

Definitely, I just modified the search for you

0 Karma
Reply
Solved! Jump to solution

gfreitas
Builder
‎07-06-2016 07:12 AM

You can use an eval like that

| eval existing_field=if(count == "0", "No", "Yes")

Another option if the field might exist and might not:

| eval existing_field=if(isnull(field), "No", "Yes")

Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...