Hi all, getting to grips with SPL and would be forever grateful if someone could lend their brain for the below:
I've got the lookup in the format below:
(Fields) --> host, os, os version
-----------------------------------------
(Values) ---> Server01, Windows, Windows Server 2019
But in my case, this lookup has 3000 field values, I want to know their source values in Splunk (This lookup was generated by a match condition with another, so I KNOW that these hosts are present in my Splunk env)
I basically need a way to do the following:
"| tstats values(sources) where index=* host=(WHATEVER IS IN MY LOOKUP HOST FIELD) by index, host"
But i can't seem to find a way, I did try to originally match the below:
| tstats values(source) where index=* by host, index
| join type=inner host
| [|inputlookup mylookup.csv | fields host | dedup host]
But my results were too large to handle by Splunk, plz help
... View more