Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use inputlookup to check if hosts in a CSV have been sending events to Splunk, then use eval to output "yes" or "no"?

sbattista09
Contributor
‎07-06-2016 07:05 AM

I want to inputlookup a CSV and search the hosts in the CSV to see if they have been reporting into Splunk, and then table a report that will have the host names from the CSV with an added column that displays "yes" or "no". Not sure how I can use the eval statement to do something like eval if count is 0=no if >0=yes

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎07-06-2016 07:13 AM

Something like this would get you most of the way there. I think. This would display a table of the host, the last time it reported, and then if it is reporting or not. 

| inputlookup servers.csv |  join type=left host [|metadata type=hosts ] | table host lastTime | eval reporting=case(isnull(lastTime), "no", 1=1, "yes") |  eval time=strftime(lastTime,"%b %d %T %Y %Z")  | fields - lastTime

View solution in original post

Reply
Solved! Jump to solution

Stevelim
Communicator
‎07-06-2016 07:18 AM

You might want to use a case statement instead:

input Lookup search | eval Results =case(count == 0, "Yes", count >= 0, "No")

You can also refer to this quick reference:

Reply
Solved! Jump to solution

gcusello
Esteemed Legend
‎07-06-2016 07:14 AM

Try this:

| inputlookup HostList.csv 
| eval count=0 
| eval host=upper(host) 
| append [ 
|metasearch index=main latest=-7d
| eval host=upper(host) 
| stats count by host
] 
| stats sum(count) AS Total by host 
| where Total=0
| table host

after you can use eval to show the status or rangemap (see the dashboard example "Table Iconset (Rangemap)" in "Splunk 6.x Dashboard Examples".

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎07-06-2016 07:13 AM

Something like this would get you most of the way there. I think. This would display a table of the host, the last time it reported, and then if it is reporting or not. 

| inputlookup servers.csv |  join type=left host [|metadata type=hosts ] | table host lastTime | eval reporting=case(isnull(lastTime), "no", 1=1, "yes") |  eval time=strftime(lastTime,"%b %d %T %Y %Z")  | fields - lastTime
Reply
Solved! Jump to solution

sbattista09
Contributor
‎07-06-2016 11:27 AM

is there a way to format the lastTime field so that it is more human readable?

0 Karma
Reply
Solved! Jump to solution

ryanoconnor
Builder
‎07-06-2016 11:41 AM

Definitely, I just modified the search for you

0 Karma
Reply
Solved! Jump to solution

gfreitas
Builder
‎07-06-2016 07:12 AM

You can use an eval like that

| eval existing_field=if(count == "0", "No", "Yes")

Another option if the field might exist and might not:

| eval existing_field=if(isnull(field), "No", "Yes")

Reply
Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out >> 🏆 Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...