Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Is it possible to use an inputlookup command with an OR statement?

a212830
Champion
‎10-02-2018 03:38 PM

Hi,

I have a query that uses this search to look for hosts that we need to validate:

|tstats count WHERE index=* AND [ |inputlookup testSVB2.csv |fields + host] groupby host, index, sourcetype

I'd like to expand this, so that it uses additional columns against the host field. I'd have an IP column, and a fully qualified domain name (FQDN) column in the lookup, and then search and compare those to the host field.

I'm guessing that an "OR" statement is the best option, but I don't see any way to do that in this scenario. Does anyone have a suggestion?

0 Karma
Reply

sloshburch
Ultra Champion
‎10-15-2018 10:22 AM

Don't forget about some commands that might help take this in a different approach:

  • Multisearch - to collect data from multiple streams
  • Eval's coalesce - a more elegant 'case' structure for null checking

While not perfect, it could allow you to solve this with a more streaming style approach.

0 Karma
Reply

vupham
Explorer
‎10-02-2018 06:34 PM

you'll want to combine all your fields from your csv into one like :

[| inputlookup testSVB2.csv | eval host=mvappend(host,ip,fqdn) | fields + host | format]

The format at the end might be redundant, but if you do the subsearch on its own without the brackets, the format command allows you to see what the resulting filter is.

It'll probably look like

( ( ( host="*hostname1*" OR host="*ip1*" OR host="*fqdn1*" ) ) ) AND ( ( ( host="*hostname2*" OR host="*ip2*" OR host="*fqdn2*" ) ) ) [AND ...]

you can also modify the format command delimiters to change the behavior of the subsearch results

0 Karma
Reply

a212830
Champion
‎10-03-2018 05:49 AM

Thanks. This is great...

Is there a way to validate that a match has occurred against the row from the lookup? Each row contains host, ip (and possibly fqdn). We get lists with dozens of servers/ip's and while this search is great, it would help if I could easily identify that a match was made (or wasn't made) against the row.

0 Karma
Reply

vupham
Explorer
‎10-03-2018 06:43 AM

I'm not sure if there is an elegant way to do that, especially when you're dealing with different columns. Maybe you can start by expanding the csv so that you have the hostname, ip, and fqdns on separate rows with some column to indicate what row they were in. do the join, and then recombine the rows afterwards.

This might get you halfway there.
|inputlookup testSVB2.csv | streamstats count as row | eval host=mvappend(host,ip,fqdn) | fields - ip fqdn | mvexpand host | join type=left host [|tstats count WHERE index=* AND [ | inputlookup testSVB2.csv | eval host=mvappend(host,ip,fqdn) | fields + host | format ] by host, index, sourcetype]

0 Karma
Reply

HiroshiSatoh
Champion
‎10-02-2018 05:49 PM

I think that it should convert it like this sample and use it.

ex.
    inputlookup testSVB2.csv | rex field=host "^(?<host>[^\.]+)|fields + host"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...