Hi @RanjiRaje The appends definitely aren't needed here, as this runs a search for that data each time in order to do the lookup - instead you could look to do something like this: Replace the thr...
See more...
Hi @RanjiRaje The appends definitely aren't needed here, as this runs a search for that data each time in order to do the lookup - instead you could look to do something like this: Replace the three append branches with a single lookup that matches on any of the three possible keys, then keep the latest event per host/IP. | loadjob savedsearch="userid:search:hostslists"
| eval host=upper(host) | lookup lookupname Hostname as host OUTPUTNEW Hostname as H1, IP as IP1
| lookup lookupname IP as host OUTPUTNEW IP as IP2, Hostname as H2
| lookup lookupname AltName as host OUTPUTNEW AltName as A3, IP as IP3, Hostname as H3
| eval Hostname=coalesce(H1,H2,H3), IP=coalesce(IP1,IP2,IP3)
| eval starttime=relative_time(now(),"-10d@d")
| where latest>=starttime | stats max(latest) as latest by host, Hostname, IP
| eval "Last event date"=strftime(latest,"%d %b %Y")
| table host Hostname IP "Last event date" | rename host AS 'Host referred in Splunk' Let me know how you get on or if any bits need tweaking or explaining Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing