How do I compare a lookup with a search?

mokabe · ‎08-01-2022

I wanted to compare a Lookup with a Search:

Ex:

Lookup "list_host_lookup.csv"

Server
AA
BB
CC
DD
EE
FF
GG

Search
index=abcddf sourcetype
| dedup Host
| table HOST STATUS

HOST STATUS

AA Active
BB Active
CC Off
DD Active
GG Off
HH Active
II Off

If the lookup host (list_host_lookup.csv) is not in the Search or if it is in the Search and is "Off", create a "NOK" field.
If the lookup host (list_host_lookup.csv) is in the Search or if it is in the Search and is "Active", create an "OK" field.

dural_yyz · ‎08-03-2022

| inputlookup list_host_lookup.csv
| join
   [ search index=abcddf sourcetype
     | stats latest(Status) as Status by host]
| table host Status
| eval new_field=case(Status="Active",OK)
| fillnull value=NOK new_field

Use this as a starting point but you may find a desire to edit and customize as you see fit.

How do I compare a lookup with a search?

other

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...