Solved: To find new added hosts using lookup files

gabrieltrust · ‎02-01-2024

I need to find new added hosts using lookup files.
The solutions in blog didn't work for me.

I will create a lookup file with all my hosts. ( I did)

If any new host will be added , it will be displayed.

Any help will be appreciated.

gcusello · ‎02-02-2024

if you have a lookup (called e.g. perimeter.csv) with at least one field (host), you can run something like this:

| tstats count WHERE index=* NOT [ | inputlookup perimeter.csv | fields host ] BY host

Ciao.

giuseppe

View solution in original post

gcusello · ‎02-02-2024

Hi @gabrieltrust ,

if you have a lookup (called e.g. perimeter.csv) with at least one field (host), you can run something like this:

| tstats count WHERE index=* NOT [ | inputlookup perimeter.csv | fields host ] BY host

Ciao.

giuseppe

gabrieltrust · ‎02-06-2024

Works Great! Thank you

ITWhisperer · ‎02-01-2024

Get your list of unique hosts, append your list of unique hosts from the lookup file twice, use stats to count by host, where the count is only 1, the host is not in the lookup file, where it is 2 it is only in the lookup file, where it is 3, it is in both the searched events and the lookup file.

To find new added hosts using lookup files

lookup

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...