Solved: help for retrieving events not found from a lookup...

jip31 · ‎10-12-2020

Hello

I use the search below in order to display the list of HOSTNAME which have a SITE field that matches

| inputlookup lookup_cmdb 
| search HOSTNAME= aaa
    OR HOSTNAME= bbb
    OR HOSTNAME= ccc
    OR HOSTNAME= dddd
| stats values(SITE) as SITE by HOSTNAME
| table HOSTNAME

Instead the host which have a SITE field that matches, I would like to display the host list that have no SITE field

How to do please?

ITWhisperer · ‎10-12-2020

| inputlookup lookup_cmdb 
| search HOSTNAME= aaa
    OR HOSTNAME= bbb
    OR HOSTNAME= ccc
    OR HOSTNAME= dddd
| search NOT SITE="*"

View solution in original post

ITWhisperer · ‎10-12-2020

| inputlookup lookup_cmdb 
| search HOSTNAME= aaa
    OR HOSTNAME= bbb
    OR HOSTNAME= ccc
    OR HOSTNAME= dddd
| where isnull(SITE)

jip31 · ‎10-12-2020

I have already tested it but like this I have no results......

ITWhisperer · ‎10-12-2020

| inputlookup lookup_cmdb 
| search HOSTNAME= aaa
    OR HOSTNAME= bbb
    OR HOSTNAME= ccc
    OR HOSTNAME= dddd
| where isnull(SITE) OR SITE=""

jip31 · ‎10-12-2020

@ITWhisperer wrote:

| inputlookup lookup_cmdb 
| search HOSTNAME= aaa
    OR HOSTNAME= bbb
    OR HOSTNAME= ccc
    OR HOSTNAME= dddd
| where isnull(SITE) OR SITE=""

no results too...

jip31 · ‎10-12-2020

| where isnotnull(SITE) works but not | where isnull(SITE)

ITWhisperer · ‎10-12-2020

| inputlookup lookup_cmdb 
| search HOSTNAME= aaa
    OR HOSTNAME= bbb
    OR HOSTNAME= ccc
    OR HOSTNAME= dddd
| search NOT SITE="*"

help for retrieving events not found from a lookup list

stats

Mastering Data Pipelines: Unlocking Value with Splunk

The Latest Cisco Integrations With Splunk Platform!

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk