Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use inputlookup to check if hosts in a CSV have been sending events to Splunk, then use eval to output "yes" or "no"?

sbattista09
Contributor
‎07-06-2016 07:05 AM

I want to inputlookup a CSV and search the hosts in the CSV to see if they have been reporting into Splunk, and then table a report that will have the host names from the CSV with an added column that displays "yes" or "no". Not sure how I can use the eval statement to do something like eval if count is 0=no if >0=yes

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎07-06-2016 07:13 AM

Something like this would get you most of the way there. I think. This would display a table of the host, the last time it reported, and then if it is reporting or not. 

| inputlookup servers.csv |  join type=left host [|metadata type=hosts ] | table host lastTime | eval reporting=case(isnull(lastTime), "no", 1=1, "yes") |  eval time=strftime(lastTime,"%b %d %T %Y %Z")  | fields - lastTime

View solution in original post

Reply
Solved! Jump to solution

Stevelim
Communicator
‎07-06-2016 07:18 AM

You might want to use a case statement instead:

input Lookup search | eval Results =case(count == 0, "Yes", count >= 0, "No")

You can also refer to this quick reference:

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-06-2016 07:14 AM

Try this:

| inputlookup HostList.csv 
| eval count=0 
| eval host=upper(host) 
| append [ 
|metasearch index=main latest=-7d
| eval host=upper(host) 
| stats count by host
] 
| stats sum(count) AS Total by host 
| where Total=0
| table host

after you can use eval to show the status or rangemap (see the dashboard example "Table Iconset (Rangemap)" in "Splunk 6.x Dashboard Examples".

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎07-06-2016 07:13 AM

Something like this would get you most of the way there. I think. This would display a table of the host, the last time it reported, and then if it is reporting or not. 

| inputlookup servers.csv |  join type=left host [|metadata type=hosts ] | table host lastTime | eval reporting=case(isnull(lastTime), "no", 1=1, "yes") |  eval time=strftime(lastTime,"%b %d %T %Y %Z")  | fields - lastTime
Reply
Solved! Jump to solution

sbattista09
Contributor
‎07-06-2016 11:27 AM

is there a way to format the lastTime field so that it is more human readable?

0 Karma
Reply
Solved! Jump to solution

ryanoconnor
Builder
‎07-06-2016 11:41 AM

Definitely, I just modified the search for you

0 Karma
Reply
Solved! Jump to solution

gfreitas
Builder
‎07-06-2016 07:12 AM

You can use an eval like that

| eval existing_field=if(count == "0", "No", "Yes")

Another option if the field might exist and might not:

| eval existing_field=if(isnull(field), "No", "Yes")

Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Top