Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to compare lookup with index and number of hosts to see whats missing?

Orangebottle76
Engager
‎02-10-2023 02:08 AM

I have a lookup which in column A is the index and column B is the number of hosts, I have this as  a lookup. I would like to be able to query the number of hosts per index I have i.e. if I have three hosts in my lookup but splunk returns two I would like to see that number.

Probably a difficult query but one I am struggling with - thanks in advance!

Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-10-2023 05:03 AM

Hi @Orangebottle76 ,

let me understand:

in the lookup you have in a column the host and in another the count of hosts.

there could be sone hosts without values and you want to check this, is this correct?

if this is your need, as you can read in my answer linked by @SanjayReddy, you need a list of hosts to monitor to insert in another lookup (called e.g. perimeter.csv) containing at least one column with the same fieldname of the first lookup (e.g. host), so you can run a search like this:

| inputlookup your_lookup.csv
| eval host=lower(host)
| stats values(number) AS number BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), number=0 | fields host number ]
| stats sum(number) AS number BY host

in this way you'll have the number of all hosts, also the one not present in the main lookup but present in the perimeter.csv.

Ciao.

Giuseppe

0 Karma
Reply

Orangebottle76
Engager
‎02-10-2023 05:28 AM

So I have two columns one with an index and the other with the amount of hosts that index has, I just want to query that data from my lookup to that data I have in Splunk. Sorry if I have confused you 🙂

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-10-2023 05:32 AM

Hi @Orangebottle76,

where are the two columns: in a lookup or they are the result of a search?

if in a lookup, my above search is the solution for your requirement,

if they are the result of a search, you can apply the solution indicated by @SanjayReddy from my previous answer to solve your need.In both cases the approach is:

having a lookup with the hosts to monitor and add the values from this lookup to the search results with count=0, in this way you'll also have the values not present in the main search.

Ciao.

Giuseppe

0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎02-10-2023 02:15 AM

HI @Orangebottle76 

for this similiar requirement   @gcusello provided great solution , following answer will help you

https://community.splunk.com/t5/Reporting/How-to-prepare-a-list-of-hosts-that-have-not-reported-in-f... 

Reply

Orangebottle76
Engager
‎02-10-2023 02:24 AM

Hi, that thread does not quite work for me. I have tried but it does not work for what I want.

Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...