Splunk Search

Matching event results to a lookup field with a wildcard.

joeybagofdonuts
Explorer

Hello!

 

I'm trying to build out a lookup of services on specific servers that I want to know when they've stopped. But I wanted to use wildcards for servers so I didn't need to type out a lot of servers.

 

This is the some sample data and the base of the search that I've been playing with.

hostNameseverityfailuresAllowed
server1234service1low3
server1*service2high1
server2*service3medium2

 

index=windows source=service earliest=-20m
[inputlookup Windows_App_Services.csv | table host Name ]
| stats count(eval(if(State!="Running",1,null()))) as failureCount by host Name
| join host Name type=outer [inputlookup Windows_App_Services.csv]


The first inputlookup pulls in just the server name and service we're looking at so that I can search only those events. Then I count how many of those events have a State of not running so I know how many times in the 20 minute lookup back period they haven't been running. Then I'd like to pull in severity and failuresAllowed so that I can use those to calculate severity in ITSI, but when I try to do the join it does not work because the host doesn't match what's in the lookup since it's wildcarded.

 

I've tried creating a wildcard match_type on that lookup, but that doesn't seem to help me. Anyone have any ideas?

 

Thanks for your help!

Labels (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Create a new lookup definition called "Windows_App_Services" that references Windows_App_Services.csv.  In the Advanced Options section, set the Match type field to "WILDCARD(host)".

Then replace the join in the query with a lookup.

index=windows source=service earliest=-20m
[inputlookup Windows_App_Services.csv | table host Name ]
| stats count(eval(if(State!="Running",1,null()))) as failureCount by host Name
| lookup Windows_App_Services host OUTPUT severity failuresAllowed

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Create a new lookup definition called "Windows_App_Services" that references Windows_App_Services.csv.  In the Advanced Options section, set the Match type field to "WILDCARD(host)".

Then replace the join in the query with a lookup.

index=windows source=service earliest=-20m
[inputlookup Windows_App_Services.csv | table host Name ]
| stats count(eval(if(State!="Running",1,null()))) as failureCount by host Name
| lookup Windows_App_Services host OUTPUT severity failuresAllowed

 

---
If this reply helps you, Karma would be appreciated.

joeybagofdonuts
Explorer

Thanks! That worked for me, I was messing up the syntax of calling the lookup. I've accepted this as the solution, but I have a follow up question if you'd be so inclined.

 

Say I want to take it a step further and be able to list multiple hosts and be able to wild card. Like this for example:

hostNameseverityfailuresAllowed
server123::server234::server345Service1low3
server1*Service2high1
server123Service3medium2

 

This works for the 2nd and 3rd row. Note that I'm doing my lookup by host and Name because certain servers could be looking at the same services with different severities resulting if it's stopped.

 

index=windows source=service earliest=-20m
[inputlookup Windows_App_Services.csv | table host Name | makemv delim=:: host | mvexpand host]
| stats count(eval(if(State!="Running",1,null()))) as failureCount by host Name
| lookup Windows_App_Services host Name OUTPUT severity failuresAllowed

 

 

However I'm not sure how to split out the hosts in the first row as this doesn't quite do it.

 

index=windows source=service
[inputlookup Windows_App_Services.csv | table host Name | makemv delim=:: host | mvexpand host]
| stats count(eval(if(State!="Running",1,null()))) as failureCount by host Name
| lookup Windows_App_Services_Lookup host Name | makemv delim=:: host | mvexpand host

 

 

I'm at a point where I could probably bang my head against a wall for a little and figure it out, but any advice would be much appreciated!

0 Karma

joeybagofdonuts
Explorer

I did some headslamming and realized I could just do this. Might not be the most efficient so still open to critiques, but this got me the results I wanted!

index=windows source=service
[inputlookup Windows_App_Services.csv | table host Name | makemv delim=:: host | mvexpand host]
| stats count(eval(if(State!="Running",1,null()))) as failureCount by host Name
| lookup Windows_App_Services_Lookup host Name
| join host Name type=outer [inputlookup Windows_App_Services.csv | makemv delim=:: host | mvexpand host]
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...