Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

using a lookup file to populate a search query

vincenp2
New Member
‎07-26-2018 03:23 AM

I have a lookup table containing a list of building names - which I think may be useful in creating the query I need

Buildings 'call in' on a regular basis - and events are created to show this.
I want to use the lookup table to run a query to show me if any buildings have NOT 'called in' in the past 7 days

so basically I need a query that searches for these 'call in' events from each building, and alert if a building has NOT 'called in' in the past 7 days

I can run a query looking back over the last 7 days
index=xyz | table building_name
which will report out any buildings that have reported in, but I need to know of the buildings that have NOT reported in

How can I create a report that does this, using the existing lookup table I have which contains all building names?

0 Karma
Reply

adonio
Ultra Champion
‎07-26-2018 04:12 AM

maybe something like that:

| inputlookup your_building_lookup.csv | search NOT [search index=xyz building_name=* | dedup building_name | fields building_name]

hope it helps

0 Karma
Reply

vincenp2
New Member
‎07-26-2018 04:38 AM

Hi thanks for replying so quickly - when I run this query it basically produces the whole content of the 'building_names' lookup file (5800 rows) - regardless of the time period I use?

I would expect to see a small number of building names, perhaps just 10 or so

I kinda understand the logic of the query you sent, and would have thought it might just produce a list of those buildings in the lookup table but had not produced any events in the time period queried

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...