Solved: Re: metadata used in subsearch

splunkin11 · ‎08-30-2016

I'm trying to join hosts from a .csv file to the results of this metadata search:
|metadata type=hosts | eval time_diff = now() - lastTime

The .csv file will have some hosts that don't exist in the metadata results but I need to have them show in the final results.
I was thinking a subsearch would work but it fails to match up all the records. I only get about 20 matching records but it does show all records from the .csv.

Any suggestions???

sundareshr · ‎08-30-2016

Try this

| inputlookup myfile.csv | fields host | append  [|metadata type=hosts | eval time_diff = now() - lastTime| table *] | stats first(time_diff) as time_diff by host

View solution in original post

vasanthmss · ‎08-30-2016

Try this,

|inputlookup myfile.csv | fields host | append [|metadata type=hosts |search host=CCFS* | eval time_diff = now() - lastTime| table *] | stats values(*) as * by host

V

sundareshr · ‎08-30-2016

Try this

| inputlookup myfile.csv | fields host | append  [|metadata type=hosts | eval time_diff = now() - lastTime| table *] | stats first(time_diff) as time_diff by host

splunkin11 · ‎08-30-2016

Thanks so much!! That works.

metadata used in subsearch

There's No Place Like Chrome and the Splunk Platform

The Great Resilience Quest: 5th Leaderboard Update

Devesh Logendran, Splunk, and the Singapore Cyber Conquest