There are a couple of scenarios that i'm running into for the host field in splunk, based on our logging environment. From the lookup table sample above, we could see in splunk:
1.) host=Hostname -- a 1:1 match from the lookup Hostname field, to the host field in Splunk, no problem. In my search, this is working fine.
2.) host="IP Address" -- We are seeing this host in splunk by its IP address, rather than its Hostname.
3.) host="Hostname*" -- This systems hostname is configured with a non FQDN, but by the time it reaches Splunk one has been appended.
I believe that the area that im running into issues is the join. I dont think that splunk is handling join type=left [subsearch][subsearch] the way that I was hoping that it would.
If i had a search that worked perfectly, it would load the asset list, and compare logging hosts in splunk to the Hostname or "IP Address" fields in the lookup. and would account for partial matches (host=host3*). If i have to use a differnet search rather than the type that im using above, i understand, however an ideal output would be:
Hostname IP Address First Logged Recently Logged last_logged
host1.foo.com 220.127.116.11 5/4/18 21:42 5/6/18 16:08 Logging
host2.foo.com 18.104.22.168 Never Logged
host3 22.214.171.124 3/12/16 6:23 2/5/18 09:32 Stopped Logging