Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

using a lookup file to populate a search query

vincenp2
New Member
‎07-26-2018 03:23 AM

I have a lookup table containing a list of building names - which I think may be useful in creating the query I need

Buildings 'call in' on a regular basis - and events are created to show this.
I want to use the lookup table to run a query to show me if any buildings have NOT 'called in' in the past 7 days

so basically I need a query that searches for these 'call in' events from each building, and alert if a building has NOT 'called in' in the past 7 days

I can run a query looking back over the last 7 days
index=xyz | table building_name
which will report out any buildings that have reported in, but I need to know of the buildings that have NOT reported in

How can I create a report that does this, using the existing lookup table I have which contains all building names?

0 Karma
Reply

adonio
Ultra Champion
‎07-26-2018 04:12 AM

maybe something like that:

| inputlookup your_building_lookup.csv | search NOT [search index=xyz building_name=* | dedup building_name | fields building_name]

hope it helps

0 Karma
Reply

vincenp2
New Member
‎07-26-2018 04:38 AM

Hi thanks for replying so quickly - when I run this query it basically produces the whole content of the 'building_names' lookup file (5800 rows) - regardless of the time period I use?

I would expect to see a small number of building names, perhaps just 10 or so

I kinda understand the logic of the query you sent, and would have thought it might just produce a list of those buildings in the lookup table but had not produced any events in the time period queried

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...