Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using a lookup file in a subsearch

Makinde
New Member
‎03-13-2016 08:59 AM

I have an original search to identify some vulnerabilities in my network, one of the fields in the search string is the Server_name field, however I want it to pull that information from my lookup file, so I am going to have to do a search in a search.

One challenge I have is my server names in Splunk are the FQDN but the server_name in my lookup file is just the server name not the FQDN so for me to get a match I need to use a wildcard (*) i.e. Server_name in Splunk is WLTYZ.domain.com while the server name in the lookup file is WLTYZ but I need my search string to match WLTYZ.domain.com in the search results when it uses the result WLTYZ from the lookup file.

I am thinking of putting the wildcard before and after the lookup search string so my search string looks like this;

index=main host_name=*[| inputlookup UCMDB.csv where MD="Ken Bell" | table "Server Name"]* | dedup host_name, qid | stats count by host_name

Do you think this will work? If not what would you recommend?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-13-2016 10:13 AM

That's not how filtering by subsearch results work. Try this:

index=main [inputlookup UCMDB.csv where MD="Ken Bell" | rename "Server Name" as host_name | fields host_name | eval host_name = host_name."*"] | stats dc(qid) by host_name

Note, I've only added the asterisk to the end because of how you described the FQDN difference - wildcards at the beginning of search terms are terribly inefficient. I've also replaced the dedup | stats count with a stats dc(), should do the same thing but faster.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-13-2016 10:13 AM

That's not how filtering by subsearch results work. Try this:

index=main [inputlookup UCMDB.csv where MD="Ken Bell" | rename "Server Name" as host_name | fields host_name | eval host_name = host_name."*"] | stats dc(qid) by host_name

Note, I've only added the asterisk to the end because of how you described the FQDN difference - wildcards at the beginning of search terms are terribly inefficient. I've also replaced the dedup | stats count with a stats dc(), should do the same thing but faster.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-13-2016 02:25 PM

To troubleshoot, split the search into two parts. First, run this:

| inputlookup UCMDB.csv where MD="Ken Bell" | rename "Server Name" as host_name | fields host_name | eval host_name = host_name."*" | format

The result should be a list of host_name="foo*" filters concatenated with a bunch of parentheses and ORs. If that list looks okay, copy it into this:

index=main PASTEHERE | stats dc(qid) by host_name
0 Karma
Reply
Solved! Jump to solution

Makinde
New Member
‎03-13-2016 01:22 PM

Hi Martin,

I tried the search string you suggested, it wasn't working so I started troubleshooting
First let's start with FQDN with no difference so I removed the "*" just to simplify it all.
First I was able to confirm inputlookup UCMDB.csv where MD="Ken Bell" | rename "Server Name" as host_name | fields host_name works fine, but when I put it all in the search it isn't working.
I confirmed the hostname returneddoes exist in the index so logically it should work however I can't see any results when I run the search.
Any ideas?

0 Karma
Reply
Solved! Jump to solution

Makinde
New Member
‎03-13-2016 01:33 PM

After further troubleshooting, I noticed "| inputlookup UCMDB.csv where MD="Ken Bell" | rename "Server Name" as host_name | fields host_name" works fine but when I add the "| eval host_name = host_name" section the search returns no values in the fields.
I think the problem is with the eval function. Any ideas?

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...