Splunk Search

Comparing hosts not reporting to a separate lookup and adding supplemental information

LiquidTension
Path Finder

I came across a posting that had the following search which works amazingly well:

| metadata index=* type=hosts | eval age = now()-lastTime | where age > (2*86400) | sort age d | convert ctime(lastTime) | fields age,host,lastTime

My question is, how can I take the results of this search and compare it with a lookup? My dblookup contains a lot of valuable information that a CMDB would contain (Domain Notes OS app_owner applications business_unit host host_with_fqdn patch_cycle primary_contact secondary_contact serial server_model server_platform server_status server_type site)
Specifically I am looking to know all the hosts that are present in both the results of the search above, with the lookup table I already have, and pull in the status (retired or active), and possibly supplement the results with some of the additional information that might be valuable in the lookup table.

Basically inventory control

0 Karma

somesoni2
Revered Legend

If you're using dblookup using dbconnect try something like this (http://docs.splunk.com/Documentation/DBX/1.1.4/DeployDBX/Setupadatabaselookuptable#Create_a_lookup_b...)

| metadata index=* type=hosts | eval age = now()-lastTime | where age > (2*86400) | sort age d | convert ctime(lastTime) | fields age,host,lastTime | lookup local=1 yourdblookup host OUTPUT add Your Columns here | table age,host,lastTime Your Columns here

For regular csv lookup tables, pretty much the same.

| metadata index=* type=hosts | eval age = now()-lastTime | where age > (2*86400) | sort age d | convert ctime(lastTime) | fields age,host,lastTime | lookup  yourdblookup.csv host OUTPUT add Your Columns here | table age,host,lastTime Your Columns here

woodcock
Esteemed Legend

You also have to add | where isnotnull(SomeFieldInYourLookupFile) to strip out the hosts that are not found. This solution is better than mine because it does not use a subsearch.

0 Karma

woodcock
Esteemed Legend

Like this:

| metadata index=* type=hosts | eval age = now()-lastTime | where age > (2*86400) | sort age d | convert ctime(lastTime) | fields age,host,lastTime | eval type=metadata | append [|inputlookup max=0 YourLookup | eval type=lookup] | stats values(*) AS * | where mvcount(type)=2
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...