Hi, I need your suggestion here. Please guide me
I have a lookup file with list of hosts. I need to compare it with splunk data and populate the matching count.
Query:
index=idxname (sourcetyp...
See more...
Hi, I need your suggestion here. Please guide me
I have a lookup file with list of hosts. I need to compare it with splunk data and populate the matching count.
Query:
index=idxname (sourcetype=sourceA desc=windows) OR (sourcetype=sourceB)
| fields device.hostname,event.HostName
| rename device.hostname as hostfield, event.HostName as hostfield
| lookup lookupfilename fieldname as hostfield OUTPUTNEW Platform
| fields hostfield,Platform
| stats dc(hostfield) as "totalcount" by Platform
I have 2 different sourcetype under the same index. sourceA has a field "device.hostname" and sourceB has a fields "event.HostName".
[ lookup file --> hostfield: AA,BB,CC
sourceA,device.hostname --> AA,XX,YY
sourceB,event.HostName --> CC,PP,KK
my output count should be 2 ]
If any of these 2 fields value is matching with the lookup hostname, then it should be considered. I tried rename command. Please provide your inputs..