Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to use an inputlookup command with an OR statement?

a212830
Champion
‎10-02-2018 03:38 PM

Hi,

I have a query that uses this search to look for hosts that we need to validate:

|tstats count WHERE index=* AND [ |inputlookup testSVB2.csv |fields + host] groupby host, index, sourcetype

I'd like to expand this, so that it uses additional columns against the host field. I'd have an IP column, and a fully qualified domain name (FQDN) column in the lookup, and then search and compare those to the host field.

I'm guessing that an "OR" statement is the best option, but I don't see any way to do that in this scenario. Does anyone have a suggestion?

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎10-15-2018 10:22 AM

Don't forget about some commands that might help take this in a different approach:

  • Multisearch - to collect data from multiple streams
  • Eval's coalesce - a more elegant 'case' structure for null checking

While not perfect, it could allow you to solve this with a more streaming style approach.

0 Karma
Reply

vupham
Explorer
‎10-02-2018 06:34 PM

you'll want to combine all your fields from your csv into one like :

[| inputlookup testSVB2.csv | eval host=mvappend(host,ip,fqdn) | fields + host | format]

The format at the end might be redundant, but if you do the subsearch on its own without the brackets, the format command allows you to see what the resulting filter is.

It'll probably look like

( ( ( host="*hostname1*" OR host="*ip1*" OR host="*fqdn1*" ) ) ) AND ( ( ( host="*hostname2*" OR host="*ip2*" OR host="*fqdn2*" ) ) ) [AND ...]

you can also modify the format command delimiters to change the behavior of the subsearch results

0 Karma
Reply

a212830
Champion
‎10-03-2018 05:49 AM

Thanks. This is great...

Is there a way to validate that a match has occurred against the row from the lookup? Each row contains host, ip (and possibly fqdn). We get lists with dozens of servers/ip's and while this search is great, it would help if I could easily identify that a match was made (or wasn't made) against the row.

0 Karma
Reply

vupham
Explorer
‎10-03-2018 06:43 AM

I'm not sure if there is an elegant way to do that, especially when you're dealing with different columns. Maybe you can start by expanding the csv so that you have the hostname, ip, and fqdns on separate rows with some column to indicate what row they were in. do the join, and then recombine the rows afterwards.

This might get you halfway there.
|inputlookup testSVB2.csv | streamstats count as row | eval host=mvappend(host,ip,fqdn) | fields - ip fqdn | mvexpand host | join type=left host [|tstats count WHERE index=* AND [ | inputlookup testSVB2.csv | eval host=mvappend(host,ip,fqdn) | fields + host | format ] by host, index, sourcetype]

0 Karma
Reply

HiroshiSatoh
Champion
‎10-02-2018 05:49 PM

I think that it should convert it like this sample and use it.

ex.
    inputlookup testSVB2.csv | rex field=host "^(?<host>[^\.]+)|fields + host"
0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top