Splunk Search

inputlookup help

splunkcol
Builder

Hello,

It is the first time that I am going to use this command and the truth is I am a bit confused even though I have read about this command but the truth is not clear to me.

I have windows machines with the agent installed sending logs to index = main

I have a file in .csv with the inventory of all the machines

I need to get a list of the hosts that have never reported logs, either because the agent has not been installed yet or because I report logs and at a certain point I stop doing it

I installed the "lookup Editor" and already uploaded the inventory there.

Using the query | inputlookup hostinventory.csv I already get inventory information

But I need to make a comparison of the hosts that the index = main sees that report or have reported logs vs the inventory csv file to get an idea of ​​which hosts are reporting and which ones are not.

in the host inventory file I have a column called "host" I need to buy it with the "host" field from the index main.

index=main |stats count by ComputerName  (brings me the hosts that are reporting logs from the index main)

| inputlookup hostinventory.csv (brings me the logs that are in the csv file in the field called "host")

but I cannot correlate the two sources of information to get a list of which hosts are reporting and which are not reporting logs

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Rename ComputerName to host so it matches the name in the csv, then count how many times each host appear. It will be 2 if there are events in the index and the csv

index=main |stats count by ComputerName
| rename ComputerName as host
| inputlookup append=t hostinventory.csv
| stats count by host

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Rename ComputerName to host so it matches the name in the csv, then count how many times each host appear. It will be 2 if there are events in the index and the csv

index=main |stats count by ComputerName
| rename ComputerName as host
| inputlookup append=t hostinventory.csv
| stats count by host

splunkcol
Builder

Thank you very much for your valuable help.

I have added a where count = 2 for those who are reporting logs and where count = 1 for those who are not reporting logs

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...