Hello,
It is the first time that I am going to use this command and the truth is I am a bit confused even though I have read about this command but the truth is not clear to me.
I have windows machines with the agent installed sending logs to index = main
I have a file in .csv with the inventory of all the machines
I need to get a list of the hosts that have never reported logs, either because the agent has not been installed yet or because I report logs and at a certain point I stop doing it
I installed the "lookup Editor" and already uploaded the inventory there.
Using the query | inputlookup hostinventory.csv I already get inventory information
But I need to make a comparison of the hosts that the index = main sees that report or have reported logs vs the inventory csv file to get an idea of which hosts are reporting and which ones are not.
in the host inventory file I have a column called "host" I need to buy it with the "host" field from the index main.
index=main |stats count by ComputerName (brings me the hosts that are reporting logs from the index main)
| inputlookup hostinventory.csv (brings me the logs that are in the csv file in the field called "host")
but I cannot correlate the two sources of information to get a list of which hosts are reporting and which are not reporting logs
Rename ComputerName to host so it matches the name in the csv, then count how many times each host appear. It will be 2 if there are events in the index and the csv
index=main |stats count by ComputerName
| rename ComputerName as host
| inputlookup append=t hostinventory.csv
| stats count by host
Rename ComputerName to host so it matches the name in the csv, then count how many times each host appear. It will be 2 if there are events in the index and the csv
index=main |stats count by ComputerName
| rename ComputerName as host
| inputlookup append=t hostinventory.csv
| stats count by host
Thank you very much for your valuable help.
I have added a where count = 2 for those who are reporting logs and where count = 1 for those who are not reporting logs