Splunk Search

inputlookup help

splunkcol
Builder

Hello,

It is the first time that I am going to use this command and the truth is I am a bit confused even though I have read about this command but the truth is not clear to me.

I have windows machines with the agent installed sending logs to index = main

I have a file in .csv with the inventory of all the machines

I need to get a list of the hosts that have never reported logs, either because the agent has not been installed yet or because I report logs and at a certain point I stop doing it

I installed the "lookup Editor" and already uploaded the inventory there.

Using the query | inputlookup hostinventory.csv I already get inventory information

But I need to make a comparison of the hosts that the index = main sees that report or have reported logs vs the inventory csv file to get an idea of ​​which hosts are reporting and which ones are not.

in the host inventory file I have a column called "host" I need to buy it with the "host" field from the index main.

index=main |stats count by ComputerName  (brings me the hosts that are reporting logs from the index main)

| inputlookup hostinventory.csv (brings me the logs that are in the csv file in the field called "host")

but I cannot correlate the two sources of information to get a list of which hosts are reporting and which are not reporting logs

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Rename ComputerName to host so it matches the name in the csv, then count how many times each host appear. It will be 2 if there are events in the index and the csv

index=main |stats count by ComputerName
| rename ComputerName as host
| inputlookup append=t hostinventory.csv
| stats count by host

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Rename ComputerName to host so it matches the name in the csv, then count how many times each host appear. It will be 2 if there are events in the index and the csv

index=main |stats count by ComputerName
| rename ComputerName as host
| inputlookup append=t hostinventory.csv
| stats count by host

splunkcol
Builder

Thank you very much for your valuable help.

I have added a where count = 2 for those who are reporting logs and where count = 1 for those who are not reporting logs

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...