Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

using a lookup file to populate a search query

vincenp2
New Member
‎07-26-2018 03:23 AM

I have a lookup table containing a list of building names - which I think may be useful in creating the query I need

Buildings 'call in' on a regular basis - and events are created to show this.
I want to use the lookup table to run a query to show me if any buildings have NOT 'called in' in the past 7 days

so basically I need a query that searches for these 'call in' events from each building, and alert if a building has NOT 'called in' in the past 7 days

I can run a query looking back over the last 7 days
index=xyz | table building_name
which will report out any buildings that have reported in, but I need to know of the buildings that have NOT reported in

How can I create a report that does this, using the existing lookup table I have which contains all building names?

0 Karma
Reply

adonio
Ultra Champion
‎07-26-2018 04:12 AM

maybe something like that:

| inputlookup your_building_lookup.csv | search NOT [search index=xyz building_name=* | dedup building_name | fields building_name]

hope it helps

0 Karma
Reply

vincenp2
New Member
‎07-26-2018 04:38 AM

Hi thanks for replying so quickly - when I run this query it basically produces the whole content of the 'building_names' lookup file (5800 rows) - regardless of the time period I use?

I would expect to see a small number of building names, perhaps just 10 or so

I kinda understand the logic of the query you sent, and would have thought it might just produce a list of those buildings in the lookup table but had not produced any events in the time period queried

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...