Deployment Architecture

How do I add a host name from another index to a scheduled report which has a table from other index?

pragi_eashwar
Engager

Scheduled report
Query
Index=a threat=critical vulnerability=high | table ip,a,b,c
Requirement
How to add host name of the ip to this report which is present in the Logs situated in another index ?

Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi pragi_eashwar,
you can follow two ways:

  • if you have a more or less static situation, you can put your hostnames and IPs in a lookup and use it to insert hostames in your report;
  • if you have a dynamic situation, you can use commands like appendpipe or join to add the hostname to each row of your report.

I suggest to use Lookup because is quicker.

Your can manage hostnames in you lookup using a scheduled search, every night (or a different frequency) e.g.:

your_search
| dedup host
| table host ip 

after you can use it

index=a threat=critical vulnerability=high 
| lookup hostnames.csv ip OUTPUT host
| table ip host a b c 

Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi pragi_eashwar,
you can follow two ways:

  • if you have a more or less static situation, you can put your hostnames and IPs in a lookup and use it to insert hostames in your report;
  • if you have a dynamic situation, you can use commands like appendpipe or join to add the hostname to each row of your report.

I suggest to use Lookup because is quicker.

Your can manage hostnames in you lookup using a scheduled search, every night (or a different frequency) e.g.:

your_search
| dedup host
| table host ip 

after you can use it

index=a threat=critical vulnerability=high 
| lookup hostnames.csv ip OUTPUT host
| table ip host a b c 

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...