Solved: Re: How to write a search to filter hosts by looku...

kcchu01 · ‎04-26-2016

I have a task to list out some hosts that do not receive logs in Splunk for X hours. Initially it works fine if I define the host in the search.

| metadata type=hosts | search host=*xyz | eval since=now()-lastTime | search since>36 | rename lastTime as "Last Event"| fieldformat "Last Event"=strftime('Last Event', "%c") | table host,"Last Event",since

However, if I want to use a lookup table with host, it does not work. The lookup table "useful_host.csv" contains single columns with hostname as following.

useful_machines
xyz
abc
def

I only want to use the lookup table instead of writing the search like this:

| metadata type=hosts | search host=xyz or host=abc or host=def |...

I searched many similar answers, but none of them work for me.

sundareshr · ‎04-27-2016

Try this

| metadata type=hosts | search [| inputlookup useful_host.csv | rename useful_machines as host ]| eval since=now()-lastTime | search since>36 | rename lastTime as "Last Event"| fieldformat "Last Event"=strftime('Last Event', "%c") | table host,"Last Event",since

View solution in original post

sundareshr · ‎04-27-2016

Try this

| metadata type=hosts | search [| inputlookup useful_host.csv | rename useful_machines as host ]| eval since=now()-lastTime | search since>36 | rename lastTime as "Last Event"| fieldformat "Last Event"=strftime('Last Event', "%c") | table host,"Last Event",since

kcchu01 · ‎04-27-2016

Thanks a lot and it works perfectly

How to write a search to filter hosts by lookup table and show their metadata?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases