Hey all, Looking for some assistance on this splunk search. I've looked at other examples but for some reason I'm unable to replicate that with our data set. Currently have:
index=DB DNS="*aws.amazon.com*"
| dedup DNS
| stats count by DNS
| lookup dataFile hostname AS DNS OUTPUT hostname as matched
| eval matched=if(isnull(matched), "No Match", "Matched")
| stats sum(count) BY matched
So what this is doing is matching the Index and lookup file name DataFile by the DNS name and it just gives me the count of what matches and the count of what doesn't have a match in dataFile. However, I'm looking for this but essentially flipped. I need the results of the lookup table "dataFile" to be the base set of data and compare that to the index named DB so that it displays the count of assets not matched in the index. I've tried something like this:
index=DB DNS="*aws.amazon.com*"
[|inputlookup dataFile
| rename hostname as host
| fields host]
| lookup dataFile hostname as DNS output hostname
| stats values(hostname) as host
but no it just keeps parsing so something is wrong here. Not sure what may be the best approach here.
... View more
