Re: Splunk Dashboard UF search

arunsundarm · ‎03-10-2023

I Need to take a CSV file as input with a list of UF hostnames and check if they are reporting to splunk deployment server in a dashbaord

arunsundarm · ‎03-10-2023

Thank you so much for the response, Is it possible to make the users upload the csv file into a dashbaord instead of a lookup file?

gcusello · ‎03-10-2023

Hi @arunsundarm,

You could also use the commain inputcsv, that probably works, but I usually use a lookup, and I hint to use the same approach.

Ciao.

Giuseppe

gcusello · ‎03-10-2023

Hi @arunsundarm,

you could run something like this:

| metasearch index=_internal
| dedup host
| table host
| outputlookup perimeter.csv

in this way you have a list of host that reported in a period (e.g. last month) and the list is saved in a lookup called perimeter.cav.

You can manage this lookup in two ways:

schedule the above search e.g. every night to update the lookup,
manually update the lookup with new or cancelled hosts.

the first solution is easier but gives you less control: is there's an host that didn't connect in the last month you don't detect the missing one.

The second solution, requires more work, but gives you more control.

To my customers, I hint the second solution!

Then you can run a search like this to check if there's some host missing:

| metasearch index=_internal
| eval host=lower(host)
| stats count BY host
| append [ 
   | inputlookup perimeter.csv
   | eval host=lower(host), count=0
   | fields host count
   ]
| stats sum(count) AS total BY host
| where total=0

Ciao.

Giuseppe

Splunk Dashboard UF search to check if they're reporting back to Splunk?

dashboard

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services