inputlookup query table fields

MGlass · ‎12-22-2023

I am running the current search using the network toolkit but will not show the hostname field from the csv, do I need to do another inputlookup at the end of the search.

dtburrows3 · ‎12-22-2023

Since you are piping to a map command the final resulting dataset you are presented with are from the inner search of that map command. You should be able to use hostname as a token inside that inner search to get it to show up in the final results.

Something like this.

| inputlookup iphost.csv
| search src_ipV4=* hostname=*
| rename src_ipV4 as host
| stats values(host) as host by hostname
| mvexpand host
| map maxsearches=50 search="| ping host=$host$ count=1 | eval dest=if(isnull(dest),host,dest), hostname=\"$hostname$\" | fields host dest received, hostname"
| table host dest received hostname

MGlass · ‎12-22-2023

Looks like it works but the received results are the same for each host, I have 7 of 8 servers offline and they all show received responses.

inputlookup query table fields

lookup

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!