Splunk Search

How to write lookup to include Non-Matches?

fzuazo
Path Finder

Greetings,

I have a query I'm working on using tstats and lookup.

My lookup is named hosts_sites and has two columns, hosts and site.

My sample query is below;

 

 

| tstats latest(_time) as latest where index=main by host
| lookup hosts_sites hosts as host OUTPUT site
| table host, site, latest

 

 

How can I make sure that my table includes non-matches. I want to make sure that hosts in the lookup that were not matched are included in the table so they can be addressed/remediated

Labels (2)
0 Karma

somesoni2
Revered Legend

Try like this

| tstats latest(_time) as latest where index=main by host
| append [| inputlookup hosts_sites | table host site ]
| stats values(site) as site values(latest) as latest by host
| table host, site, latest
0 Karma

fzuazo
Path Finder

Thanks for this, I will give it a shot !

Tags (1)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

Does your query not list non-matches?  lookup command does not filter out any event so non-matches should be already included.

0 Karma

fzuazo
Path Finder

Unfortunately, not.

If there is a hostname in my lookup table that does not have a corresponding value in the indexed events it will not show up in my results.

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...