Solved: How to write a search to filter hosts by lookup ta...

kcchu01 · ‎04-26-2016

I have a task to list out some hosts that do not receive logs in Splunk for X hours. Initially it works fine if I define the host in the search.

| metadata type=hosts | search host=*xyz | eval since=now()-lastTime | search since>36 | rename lastTime as "Last Event"| fieldformat "Last Event"=strftime('Last Event', "%c") | table host,"Last Event",since

However, if I want to use a lookup table with host, it does not work. The lookup table "useful_host.csv" contains single columns with hostname as following.

useful_machines
xyz
abc
def

I only want to use the lookup table instead of writing the search like this:

| metadata type=hosts | search host=xyz or host=abc or host=def |...

I searched many similar answers, but none of them work for me.

sundareshr · ‎04-27-2016

Try this

| metadata type=hosts | search [| inputlookup useful_host.csv | rename useful_machines as host ]| eval since=now()-lastTime | search since>36 | rename lastTime as "Last Event"| fieldformat "Last Event"=strftime('Last Event', "%c") | table host,"Last Event",since

View solution in original post

sundareshr · ‎04-27-2016

Try this

| metadata type=hosts | search [| inputlookup useful_host.csv | rename useful_machines as host ]| eval since=now()-lastTime | search since>36 | rename lastTime as "Last Event"| fieldformat "Last Event"=strftime('Last Event', "%c") | table host,"Last Event",since

kcchu01 · ‎04-27-2016

Thanks a lot and it works perfectly

How to write a search to filter hosts by lookup table and show their metadata?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!