Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to pass the value in main query from the lookup file in a list of servers?

DataOrg
Builder
‎08-28-2018 12:17 AM

I have a list of server in lookup file and I want to create an alert.
The list of server names in the lookup file(around 90 servers) and I need to pass the value in the main query from the lookup file.

The column server has a value with around 90servers so I need to pass the 90 servers values in the search.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎08-28-2018 12:22 AM

index=foo [| inputlookup yourlookup.csv OUTPUTNEW hostFieldFromLookup AS host | fields host | format host]

Which will turn into

index=foo (host=hostname1 OR host=hostname2 OR ...)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎08-28-2018 12:23 AM

if lookup file is already created in splunk then use

...|inputlookup <filename>
0 Karma
Reply
Solved! Jump to solution

DataOrg
Builder
‎08-28-2018 12:35 AM

it will not work.

i need to read the lookup file and pass the value to sub-search

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎08-28-2018 12:54 AM

have you created lookup file in splunk? what is the name of lookup file?

0 Karma
Reply
Solved! Jump to solution

DataOrg
Builder
‎08-28-2018 01:07 AM

i am using below search

|inputlookup production_sites where Type="Data"|fields Type|format|table search|mvexpand search | stats count by search|rename search as R|map search="search index="perfmo" host=\"$R$\" source="Perfmon" sourcetype="Physical_Disk" counter="sec/Read" (instance="*G:" OR instance="*J:")"

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎08-28-2018 03:47 AM

can you share sample values of lookup 

|inputlookup production_sites

check if this above query gives output

|inputlookup production_sites where Type="Data"|fields Type

this query only give Type="data" as field I don't hink if thats you are looking for
as fields command limits the output to show only specific fields in this case as Type

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎08-28-2018 12:22 AM

index=foo [| inputlookup yourlookup.csv OUTPUTNEW hostFieldFromLookup AS host | fields host | format host]

Which will turn into

index=foo (host=hostname1 OR host=hostname2 OR ...)

0 Karma
Reply
Solved! Jump to solution

DataOrg
Builder
‎08-28-2018 12:32 AM

i need to get a data from lookup file and have to pass it in same query of the sub search

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...