Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Not getting results to lookup command

Nagalakshmi
Path Finder
‎02-29-2024 07:43 AM

Hi,

Need your assistance below

We have created new csv lookup and we are using the below query but we are getting  all the data from the index & sourcetype . we need to get the events only for the hosts which mentioned on the lookup is the requirement

Lookup name : Win_inventory.CSV used only one column called Server_name

index=Nagio sourcetype=nagios:core:hard 

|lookup Win_inventory.CSV Server_name as host_name OUTPUTNEW Server_name.




Server_name is not an existing interesting field

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-29-2024 08:56 AM

The current query will fetch all data from the index and then lookup the Server_name field.  To fetch only the hosts in the lookup file from the index, use a subsearch.

index=Nagio sourcetype=nagios:core:hard [ | inputlookup Win_inventory.CSV | fields Server_name | rename Server_name as host_name ]
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-29-2024 12:27 PM

Make sure the Nagio index contains a field called "host_name".  If it does not, then change the rename command to make the Server_name field match a field name in the index.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Nagalakshmi
Path Finder
‎02-29-2024 11:19 AM

Hi @richgalloway ,

I used the above query, it is  showing 0 events 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-29-2024 08:56 AM

The current query will fetch all data from the index and then lookup the Server_name field.  To fetch only the hosts in the lookup file from the index, use a subsearch.

index=Nagio sourcetype=nagios:core:hard [ | inputlookup Win_inventory.CSV | fields Server_name | rename Server_name as host_name ]
---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...