Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use inputlookup to check if hosts in a CSV have been sending events to Splunk, then use eval to output "yes" or "no"?

sbattista09
Contributor
‎07-06-2016 07:05 AM

I want to inputlookup a CSV and search the hosts in the CSV to see if they have been reporting into Splunk, and then table a report that will have the host names from the CSV with an added column that displays "yes" or "no". Not sure how I can use the eval statement to do something like eval if count is 0=no if >0=yes

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎07-06-2016 07:13 AM

Something like this would get you most of the way there. I think. This would display a table of the host, the last time it reported, and then if it is reporting or not. 

| inputlookup servers.csv |  join type=left host [|metadata type=hosts ] | table host lastTime | eval reporting=case(isnull(lastTime), "no", 1=1, "yes") |  eval time=strftime(lastTime,"%b %d %T %Y %Z")  | fields - lastTime

View solution in original post

Reply
Solved! Jump to solution

Stevelim
Communicator
‎07-06-2016 07:18 AM

You might want to use a case statement instead:

input Lookup search | eval Results =case(count == 0, "Yes", count >= 0, "No")

You can also refer to this quick reference:

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-06-2016 07:14 AM

Try this:

| inputlookup HostList.csv 
| eval count=0 
| eval host=upper(host) 
| append [ 
|metasearch index=main latest=-7d
| eval host=upper(host) 
| stats count by host
] 
| stats sum(count) AS Total by host 
| where Total=0
| table host

after you can use eval to show the status or rangemap (see the dashboard example "Table Iconset (Rangemap)" in "Splunk 6.x Dashboard Examples".

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎07-06-2016 07:13 AM

Something like this would get you most of the way there. I think. This would display a table of the host, the last time it reported, and then if it is reporting or not. 

| inputlookup servers.csv |  join type=left host [|metadata type=hosts ] | table host lastTime | eval reporting=case(isnull(lastTime), "no", 1=1, "yes") |  eval time=strftime(lastTime,"%b %d %T %Y %Z")  | fields - lastTime
Reply
Solved! Jump to solution

sbattista09
Contributor
‎07-06-2016 11:27 AM

is there a way to format the lastTime field so that it is more human readable?

0 Karma
Reply
Solved! Jump to solution

ryanoconnor
Builder
‎07-06-2016 11:41 AM

Definitely, I just modified the search for you

0 Karma
Reply
Solved! Jump to solution

gfreitas
Builder
‎07-06-2016 07:12 AM

You can use an eval like that

| eval existing_field=if(count == "0", "No", "Yes")

Another option if the field might exist and might not:

| eval existing_field=if(isnull(field), "No", "Yes")

Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top