Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use inputlookup to check if hosts in a CSV have been sending events to Splunk, then use eval to output "yes" or "no"?

sbattista09
Contributor
‎07-06-2016 07:05 AM

I want to inputlookup a CSV and search the hosts in the CSV to see if they have been reporting into Splunk, and then table a report that will have the host names from the CSV with an added column that displays "yes" or "no". Not sure how I can use the eval statement to do something like eval if count is 0=no if >0=yes

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎07-06-2016 07:13 AM

Something like this would get you most of the way there. I think. This would display a table of the host, the last time it reported, and then if it is reporting or not. 

| inputlookup servers.csv |  join type=left host [|metadata type=hosts ] | table host lastTime | eval reporting=case(isnull(lastTime), "no", 1=1, "yes") |  eval time=strftime(lastTime,"%b %d %T %Y %Z")  | fields - lastTime

View solution in original post

Reply
Solved! Jump to solution

Stevelim
Communicator
‎07-06-2016 07:18 AM

You might want to use a case statement instead:

input Lookup search | eval Results =case(count == 0, "Yes", count >= 0, "No")

You can also refer to this quick reference:

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-06-2016 07:14 AM

Try this:

| inputlookup HostList.csv 
| eval count=0 
| eval host=upper(host) 
| append [ 
|metasearch index=main latest=-7d
| eval host=upper(host) 
| stats count by host
] 
| stats sum(count) AS Total by host 
| where Total=0
| table host

after you can use eval to show the status or rangemap (see the dashboard example "Table Iconset (Rangemap)" in "Splunk 6.x Dashboard Examples".

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎07-06-2016 07:13 AM

Something like this would get you most of the way there. I think. This would display a table of the host, the last time it reported, and then if it is reporting or not. 

| inputlookup servers.csv |  join type=left host [|metadata type=hosts ] | table host lastTime | eval reporting=case(isnull(lastTime), "no", 1=1, "yes") |  eval time=strftime(lastTime,"%b %d %T %Y %Z")  | fields - lastTime
Reply
Solved! Jump to solution

sbattista09
Contributor
‎07-06-2016 11:27 AM

is there a way to format the lastTime field so that it is more human readable?

0 Karma
Reply
Solved! Jump to solution

ryanoconnor
Builder
‎07-06-2016 11:41 AM

Definitely, I just modified the search for you

0 Karma
Reply
Solved! Jump to solution

gfreitas
Builder
‎07-06-2016 07:12 AM

You can use an eval like that

| eval existing_field=if(count == "0", "No", "Yes")

Another option if the field might exist and might not:

| eval existing_field=if(isnull(field), "No", "Yes")

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...