report count from hosts in csv file INCLUDING host...

stevenatmit · ‎06-05-2014

I'm looking for a report that can import a csv file of hosts and display the event count for the past 7 days. This csv file may have systems that have never reported to splunk and thus may have a count of zero. I can get a report that list hosts with count > 0, but it won't list the ones where count = 0. Any help would be appreciated.

stevenatmit · ‎06-05-2014

I finally found something that works, but it is a slow way of doing it.

stevenatmit · ‎06-05-2014

sure. thanks for the offer of help. my search looks like this

index=* [|inputcsv allhosts.csv] | stats count by host

and my csv file looks like this

host
goodhost1
goodhost2
unknownhost1

It reports counts from the "good" hosts, but won't report a 0 from the "unknown" host

somesoni2 · ‎06-05-2014

Assuming you have the csv file added as lookup table, try something like this

|inputcsv allhosts.csv | eval count=0 | join type=left host [search index=* [|inputcsv allhosts.csv] | stats count by host]

somesoni2 · ‎06-05-2014

My bad. try now.

stevenatmit · ‎06-05-2014

that fails with 'unknown search command 'index'

richgalloway · ‎06-05-2014

If you're willing to share your existing query, we may be able to figure out why hosts with count=0 aren't showing up.

---
If this reply helps you, Karma would be appreciated.

report count from hosts in csv file INCLUDING hosts with count=0

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!