Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Search help ?

splunker969
Communicator
‎05-16-2018 08:07 AM

When Iam trying to run this search its giving me wrong results .Please correct my search. In my csv is having to coumlmns one is host and other H=YES . Thanks

| metadata type=hosts index=*
| join [| inputlookup watchlist1.csv |search H=YES| rename Host as host]
| stats min(firstTime) as firstTime, max(recentTime) as recentTime, max(lastTime) as lastTime, sum(totalCount) as totalCount by host
| sort lastTime
| convert cTime(firstTime) ctime(recentTime) ctime(lastTime)
| fields host, firstTime, recentTime, lastTime, totalCount

Tags (2)
0 Karma
Reply

elliotproebstel
Champion
‎05-16-2018 08:23 AM

Are you trying to filter the results of the metadata query to only show hosts from your lookup file that contain YES in the H field? If so, give this a shot:

| metadata type=hosts index=* 
| search 
 [| inputlookup watchlist1.csv 
 |search H="YES"
 | rename Host as host
 | fields host ] 
| stats min(firstTime) as firstTime, max(recentTime) as recentTime, max(lastTime) as lastTime, sum(totalCount) as totalCount by host 
| sort lastTime 
| convert cTime(firstTime) ctime(recentTime) ctime(lastTime)
| fields host, firstTime, recentTime, lastTime, totalCount
Reply

splunker969
Communicator
‎05-16-2018 08:35 AM

Hi ellitproebstel ,

Thanks :)Search is working can you help me to find the fully qualified name for host when i search its giving me host name in short cut .

0 Karma
Reply

elliotproebstel
Champion
‎05-16-2018 08:50 AM

Do you have the fully qualified name somewhere in your logs or in a lookup?

0 Karma
Reply

splunker969
Communicator
‎05-16-2018 08:58 AM

logs are having names

0 Karma
Reply

splunker969
Communicator
‎05-16-2018 09:09 AM

In csv better we need to keep host names as below i got results but in more hosts than csv file .

    host     H
     YY*      YES
      XX*      YES
0 Karma
Reply

splunker969
Communicator
‎05-16-2018 10:02 AM

Hi Mate,

As we are getting the duplicate results from the csv table and the results are coming with both normal host name and hostname with FQDNS. How do we resolve this and please suggest.

Example:
host
host.com

Thanks.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...