Re: How to write lookup to include Non-Matches?

fzuazo · ‎08-03-2022

Greetings,

I have a query I'm working on using tstats and lookup.

My lookup is named hosts_sites and has two columns, hosts and site.

My sample query is below;

| tstats latest(_time) as latest where index=main by host
| lookup hosts_sites hosts as host OUTPUT site
| table host, site, latest

How can I make sure that my table includes non-matches. I want to make sure that hosts in the lookup that were not matched are included in the table so they can be addressed/remediated

somesoni2 · ‎08-03-2022

Try like this

| tstats latest(_time) as latest where index=main by host
| append [| inputlookup hosts_sites | table host site ]
| stats values(site) as site values(latest) as latest by host
| table host, site, latest

fzuazo · ‎08-03-2022

Thanks for this, I will give it a shot !

yuanliu · ‎08-03-2022

Does your query not list non-matches? lookup command does not filter out any event so non-matches should be already included.

fzuazo · ‎08-03-2022

Unfortunately, not.

If there is a hostname in my lookup table that does not have a corresponding value in the indexed events it will not show up in my results.

How to write lookup to include Non-Matches?

lookup

tstats

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!