Use of Outputlookup results in further search

prsshini · ‎05-17-2018

I am trying to find the list of packages installed in all hosts. if any host doesnt have that package installed, I am trying to find those hosts as well. I am using outputlookup and inputlookup to achieve this.

index=module sourcetype=packages_installed source="InstalledSoftware" host="Comp*names" | dedup host | stats list(host) | outputlookup hosts.csv | append [search index=module sourcetype=packages_installed source="InstalledSoftware" pkgName= package1 | dedup host, Name | stats list(Host) count(host) by Name, Version ]

This gives me list of all the hosts(total 100hosts) in top
and list of hosts where packages are installed (70) in the bottom frames.

how can i find the missing 30 hosts that do not have that package installed.

i tried using Set diff [search1] [search2] and dont find it helpful.

Any help is much appreciated.

jkat54 · ‎05-17-2018

Does this work?

index=module sourcetype=packages_installed source="InstalledSoftware" host="Comp*names" 
| eval packageInstall=if(pkgName=="package1","True","False")
| stats values(packageInstall) as "Package Installed"  by host Name Version

Use of Outputlookup results in further search

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston

Are you a member of the Splunk Community?

Use of Outputlookup results in further search

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston