Hi @RanjiRaje
The appends definitely aren't needed here, as this runs a search for that data each time in order to do the lookup - instead you could look to do something like this:
Replace the three append branches with a single lookup that matches on any of the three possible keys, then keep the latest event per host/IP.
| loadjob savedsearch="userid:search:hostslists" | eval host=upper(host)
| lookup lookupname Hostname as host OUTPUTNEW Hostname as H1, IP as IP1 | lookup lookupname IP as host OUTPUTNEW IP as IP2, Hostname as H2 | lookup lookupname AltName as host OUTPUTNEW AltName as A3, IP as IP3, Hostname as H3 | eval Hostname=coalesce(H1,H2,H3), IP=coalesce(IP1,IP2,IP3) | eval starttime=relative_time(now(),"-10d@d") | where latest>=starttime
| stats max(latest) as latest by host, Hostname, IP | eval "Last event date"=strftime(latest,"%d %b %Y") | table host Hostname IP "Last event date"
| rename host AS 'Host referred in Splunk'
Let me know how you get on or if any bits need tweaking or explaining ![]()
Did this answer help you? If so, please consider:
Your feedback encourages the volunteers in this community to continue contributing