Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- lookup and index
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
my research: index="dc_winaudit" host=IN1101D9 OR host=IN1101DA OR host=IN1101DB OR host="IN1101DC" OR host="in1101dd" OR host="IN1101DE" OR host="IN1102D1" OR host="IN1102D2" OR host="IN1102D3" OR host="IN1102D4" OR host="IN1102D5" OR host="IN1102D7" OR host="IN1102D8" OR host="IN1102DC" OR host="IN1102DD" OR host="IN1102DE" OR host="IN1102DG" OR host="IN1102DH" OR host="IN1102DI" OR host="IN1102DJ" OR host="IN1104D1" OR host="IN1104D2" OR host="IN1104D3" OR host="IN1104D4" OR host="IN1104D5" OR host="IN1104D6" OR host="IN1104D7" OR host="IN1104DH" OR host="IN1104DI" OR host="IN1104DJ" OR host="IN4000D2" OR host="IN8000D2" OR host="IN7201D1" OR host="IN7202D2" OR host="IN7202D3" OR host="IN7201D1" OR host="IN7201D2" OR host="IN7201D3" OR host="IN9901D1" OR host="IN9901D2" OR host="IN9901D3" OR host="IN9901D4" OR host="IN9902D1" OR host="IN9902D2" OR host="IN9902D3" OR host="IN9902D4"
|rename Target_Domain as Domaine
|table host Domaine
|dedup host
|eval collecte=if(action = success,"Non","Oui")
I-ts work :)
I created a.csv file to simplify, in my CSV file there is only one column it is the one of the host.
I would like to know how I can get exactly the same results by doing my search this time with my csv file and index.
thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is one method. The inputlookup subsearch builds a set of "host=" pairs that become part of the main search. Run the subsearch by itself to see what happens.
index=dc_winaudit [ | inputlookup hosts.csv | fields host | format ]
|rename Target_Domain as Domaine |table host Domaine |dedup host |eval collecte=if(action = success,"Non","Oui")
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @richgalloway
I added domain column to my csv file where each host corresponds to a domain.
so I modified the request to display domain column but it doesn't work, here it is my new request:
index=dc_winaudit [| inputlookup domaincontrol.csv | fields host, domain | format ]
|table host domain |dedup host |eval collecte=if(action = success,"Non","Oui")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is one method. The inputlookup subsearch builds a set of "host=" pairs that become part of the main search. Run the subsearch by itself to see what happens.
index=dc_winaudit [ | inputlookup hosts.csv | fields host | format ]
|rename Target_Domain as Domaine |table host Domaine |dedup host |eval collecte=if(action = success,"Non","Oui")
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's work,
Thank you @richgalloway
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
