Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a search to filter hosts by lookup table and show their metadata?

kcchu01
Explorer
‎04-26-2016 09:47 PM

I have a task to list out some hosts that do not receive logs in Splunk for X hours. Initially it works fine if I define the host in the search.

| metadata type=hosts | search host=*xyz | eval since=now()-lastTime | search since>36 | rename lastTime as "Last Event"| fieldformat "Last Event"=strftime('Last Event', "%c") | table host,"Last Event",since

However, if I want to use a lookup table with host, it does not work. The lookup table "useful_host.csv" contains single columns with hostname as following.

useful_machines
xyz
abc
def

I only want to use the lookup table instead of writing the search like this:

| metadata type=hosts | search host=xyz or host=abc or host=def |...

I searched many similar answers, but none of them work for me.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎04-27-2016 07:21 AM

Try this

| metadata type=hosts | search [| inputlookup useful_host.csv | rename useful_machines as host ]| eval since=now()-lastTime | search since>36 | rename lastTime as "Last Event"| fieldformat "Last Event"=strftime('Last Event', "%c") | table host,"Last Event",since

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎04-27-2016 07:21 AM

Try this

| metadata type=hosts | search [| inputlookup useful_host.csv | rename useful_machines as host ]| eval since=now()-lastTime | search since>36 | rename lastTime as "Last Event"| fieldformat "Last Event"=strftime('Last Event', "%c") | table host,"Last Event",since
Reply
Solved! Jump to solution

kcchu01
Explorer
‎04-27-2016 06:22 PM

Thanks a lot and it works perfectly

Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...