Re: How to write lookup to include Non-Matches?

fzuazo · ‎08-03-2022

Greetings,

I have a query I'm working on using tstats and lookup.

My lookup is named hosts_sites and has two columns, hosts and site.

My sample query is below;

| tstats latest(_time) as latest where index=main by host
| lookup hosts_sites hosts as host OUTPUT site
| table host, site, latest

How can I make sure that my table includes non-matches. I want to make sure that hosts in the lookup that were not matched are included in the table so they can be addressed/remediated

somesoni2 · ‎08-03-2022

Try like this

| tstats latest(_time) as latest where index=main by host
| append [| inputlookup hosts_sites | table host site ]
| stats values(site) as site values(latest) as latest by host
| table host, site, latest

fzuazo · ‎08-03-2022

Thanks for this, I will give it a shot !

yuanliu · ‎08-03-2022

Does your query not list non-matches? lookup command does not filter out any event so non-matches should be already included.

fzuazo · ‎08-03-2022

Unfortunately, not.

If there is a hostname in my lookup table that does not have a corresponding value in the indexed events it will not show up in my results.

How to write lookup to include Non-Matches?

lookup

tstats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation