Thank You! Your example didn't quite work as is but it pointed me in the right direction and the following query is what ended up working for my use case: | metadata type=hosts index=_internal | rex field=host "(?<host>.+)(--.+|---.+)" | lookup mylookup Name as host OUTPUT Name "IP Address" as IP Classification "Used for" as used_for | stats c by host,Name,IP,Classification,used_for | fields - c | append [| inputlookup mylookup | fields Name "IP Address" Classification "Used for" | rename "IP Address" as IP "Used for" as used_for ] | fillnull value="Missing in Splunk" host | search Classification=Production used_for!=*Citrix* used_for!=*Virtualization* used_for!="ESX Server" | stats first(*) as * by Name,IP,Classification,used_for | table host,Name,IP,Classification,used_for
... View more