Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a search to filter hosts by lookup table and show their metadata?

kcchu01
Explorer
‎04-26-2016 09:47 PM

I have a task to list out some hosts that do not receive logs in Splunk for X hours. Initially it works fine if I define the host in the search.

| metadata type=hosts | search host=*xyz | eval since=now()-lastTime | search since>36 | rename lastTime as "Last Event"| fieldformat "Last Event"=strftime('Last Event', "%c") | table host,"Last Event",since

However, if I want to use a lookup table with host, it does not work. The lookup table "useful_host.csv" contains single columns with hostname as following.

useful_machines
xyz
abc
def

I only want to use the lookup table instead of writing the search like this:

| metadata type=hosts | search host=xyz or host=abc or host=def |...

I searched many similar answers, but none of them work for me.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎04-27-2016 07:21 AM

Try this

| metadata type=hosts | search [| inputlookup useful_host.csv | rename useful_machines as host ]| eval since=now()-lastTime | search since>36 | rename lastTime as "Last Event"| fieldformat "Last Event"=strftime('Last Event', "%c") | table host,"Last Event",since

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎04-27-2016 07:21 AM

Try this

| metadata type=hosts | search [| inputlookup useful_host.csv | rename useful_machines as host ]| eval since=now()-lastTime | search since>36 | rename lastTime as "Last Event"| fieldformat "Last Event"=strftime('Last Event', "%c") | table host,"Last Event",since
Reply
Solved! Jump to solution

kcchu01
Explorer
‎04-27-2016 06:22 PM

Thanks a lot and it works perfectly

Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...