Solved: Scripted Input and Search

tkwaller · ‎04-20-2015

Here is what I am trying to do:
Within the same timeframe
1. I have a splunk search that returns all hosts in the last 24 hours that have "checked in" or returned results.
2. I created a puppet script to check against the puppet db to get a list of all hosts known to puppet.

I want to be able to run a compare against the results of both searches to find hosts that are in one and not the other.

I could create a scripted input in Splunk to send the result of puppet script to Splunk index but since both the script and the search in splunk would, in theory, return the same data from the same index how would I create the search for this?

Is this the best method to accomplish this task?

Thanks for any assistance!

bwooden · ‎04-20-2015

One way would be to save the puppet results in a lookup file (with a header/field called host). Afterwards, run the Splunk search to find "checked_in" hosts, dedup those, add that puppet lookup file, and finally show hosts that were not in both. Something like this:

base_search_to_return_checked_in_hosts_from_splunk | dedup host | inputlookup append=t puppet_results.csv | stats count by host | where count < 2

View solution in original post

bwooden · ‎04-20-2015

One way would be to save the puppet results in a lookup file (with a header/field called host). Afterwards, run the Splunk search to find "checked_in" hosts, dedup those, add that puppet lookup file, and finally show hosts that were not in both. Something like this:

base_search_to_return_checked_in_hosts_from_splunk | dedup host | inputlookup append=t puppet_results.csv | stats count by host | where count < 2

tkwaller · ‎04-21-2015

Thanks for the help! I guess the problem I am having is how to get the script to save the results to a lookup file.

bwooden · ‎04-21-2015

If iti s a scripted input, you would setup a saved search in Splunk and then run a search to find that data and then pipe results to outputlookup command.
Otherwise, if it is a script external to Splunk, you can just save the results to $SPLUNK_HOME/etc/apps/search/lookups and use it from there.

tkwaller · ‎04-21-2015

You are awesome, thanks for the assistance!

tkwaller · ‎04-21-2015

One more question:
I had the script save the results to $SPLUNK_HOME/etc/apps/search/lookups and I verified that it worked and had results by running "| inputlookup puppet_results.csv" which returned 482 results.

When I run "index=_internal | dedup host | inputlookup append=t puppet_results.csv | stats count by host | where count < 2" I get the results of the initial search but get no results from the "inputlookup" portion.

Any idea what might be the issue?

tkwaller · ‎04-22-2015

I figured out why its not working the way I want. the results from the puppet script return the results in a field named after the first result instead of in a field called "host"

Thanks for your help on this, it's much appreciated!

Scripted Input and Search

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation