Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

inputlookup query table fields

MGlass
Explorer
‎12-22-2023 09:08 AM

I am running the current search using the network toolkit but will not show the hostname field from the csv, do I need to do another inputlookup at the end of the search.

| inputlookup iphost.csv
| search src_ipV4=* hostname=*
| rename src_ipV4 as host
| stats values(host) as host
| mvexpand host
| map maxsearches=50 search="| ping host=$host$ count=1 | eval dest=if(isnull(dest),host,dest) | fields host dest received"
| table host dest received hostname

Labels (1)
Labels
0 Karma
Reply

dtburrows3
Builder
‎12-22-2023 09:19 AM

Since you are piping to a map command the final resulting dataset you are presented with are from the inner search of that map command. You should be able to use hostname as a token inside that inner search to get it to show up in the final results.

Something like this.

 

| inputlookup iphost.csv
| search src_ipV4=* hostname=*
| rename src_ipV4 as host
| stats values(host) as host by hostname
| mvexpand host
| map maxsearches=50 search="| ping host=$host$ count=1 | eval dest=if(isnull(dest),host,dest), hostname=\"$hostname$\" | fields host dest received, hostname"
| table host dest received hostname

 

 

0 Karma
Reply

MGlass
Explorer
‎12-22-2023 12:00 PM

Looks like it works but the received results are the same for each host, I have 7 of  8 servers offline and they all show received responses.

0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...