Solved: Not getting results to lookup command

Nagalakshmi · ‎02-29-2024

Hi,

Need your assistance below

We have created new csv lookup and we are using the below query but we are getting all the data from the index & sourcetype . we need to get the events only for the hosts which mentioned on the lookup is the requirement

Lookup name : Win_inventory.CSV used only one column called Server_name

index=Nagio sourcetype=nagios:core:hard 

|lookup Win_inventory.CSV Server_name as host_name OUTPUTNEW Server_name.

Server_name is not an existing interesting field

richgalloway · ‎02-29-2024

The current query will fetch all data from the index and then lookup the Server_name field. To fetch only the hosts in the lookup file from the index, use a subsearch.

index=Nagio sourcetype=nagios:core:hard [ | inputlookup Win_inventory.CSV | fields Server_name | rename Server_name as host_name ]

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎02-29-2024

Make sure the Nagio index contains a field called "host_name". If it does not, then change the rename command to make the Server_name field match a field name in the index.

---
If this reply helps you, Karma would be appreciated.

Nagalakshmi · ‎02-29-2024

Hi @richgalloway ,

I used the above query, it is showing 0 events

richgalloway · ‎02-29-2024

The current query will fetch all data from the index and then lookup the Server_name field. To fetch only the hosts in the lookup file from the index, use a subsearch.

index=Nagio sourcetype=nagios:core:hard [ | inputlookup Win_inventory.CSV | fields Server_name | rename Server_name as host_name ]

---
If this reply helps you, Karma would be appreciated.

Not getting results to lookup command

lookup

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience