Here is what I am trying to do:
Within the same timeframe
1. I have a splunk search that returns all hosts in the last 24 hours that have "checked in" or returned results.
2. I created a puppet script to check against the puppet db to get a list of all hosts known to puppet.
I want to be able to run a compare against the results of both searches to find hosts that are in one and not the other.
I could create a scripted input in Splunk to send the result of puppet script to Splunk index but since both the script and the search in splunk would, in theory, return the same data from the same index how would I create the search for this?
Is this the best method to accomplish this task?
Thanks for any assistance!
One way would be to save the puppet results in a lookup file (with a header/field called host). Afterwards, run the Splunk search to find "checked_in" hosts, dedup those, add that puppet lookup file, and finally show hosts that were not in both. Something like this:
base_search_to_return_checked_in_hosts_from_splunk | dedup host | inputlookup append=t puppet_results.csv | stats count by host | where count < 2
One way would be to save the puppet results in a lookup file (with a header/field called host). Afterwards, run the Splunk search to find "checked_in" hosts, dedup those, add that puppet lookup file, and finally show hosts that were not in both. Something like this:
base_search_to_return_checked_in_hosts_from_splunk | dedup host | inputlookup append=t puppet_results.csv | stats count by host | where count < 2
Thanks for the help! I guess the problem I am having is how to get the script to save the results to a lookup file.
If iti s a scripted input, you would setup a saved search in Splunk and then run a search to find that data and then pipe results to outputlookup command.
Otherwise, if it is a script external to Splunk, you can just save the results to $SPLUNK_HOME/etc/apps/search/lookups and use it from there.
You are awesome, thanks for the assistance!
One more question:
I had the script save the results to $SPLUNK_HOME/etc/apps/search/lookups and I verified that it worked and had results by running "| inputlookup puppet_results.csv" which returned 482 results.
When I run "index=_internal | dedup host | inputlookup append=t puppet_results.csv | stats count by host | where count < 2" I get the results of the initial search but get no results from the "inputlookup" portion.
Any idea what might be the issue?
I figured out why its not working the way I want. the results from the puppet script return the results in a field named after the first result instead of in a field called "host"
Thanks for your help on this, it's much appreciated!