Solved: How do I add a host name from another index to a s...

pragi_eashwar · ‎05-03-2017

Scheduled report
Query
Index=a threat=critical vulnerability=high | table ip,a,b,c
Requirement
How to add host name of the ip to this report which is present in the Logs situated in another index ?

gcusello · ‎05-03-2017

Hi pragi_eashwar,
you can follow two ways:

if you have a more or less static situation, you can put your hostnames and IPs in a lookup and use it to insert hostames in your report;
if you have a dynamic situation, you can use commands like appendpipe or join to add the hostname to each row of your report.

I suggest to use Lookup because is quicker.

Your can manage hostnames in you lookup using a scheduled search, every night (or a different frequency) e.g.:

your_search
| dedup host
| table host ip

after you can use it

index=a threat=critical vulnerability=high 
| lookup hostnames.csv ip OUTPUT host
| table ip host a b c

Bye.
Giuseppe

View solution in original post

gcusello · ‎05-03-2017

Hi pragi_eashwar,
you can follow two ways:

if you have a more or less static situation, you can put your hostnames and IPs in a lookup and use it to insert hostames in your report;
if you have a dynamic situation, you can use commands like appendpipe or join to add the hostname to each row of your report.

I suggest to use Lookup because is quicker.

Your can manage hostnames in you lookup using a scheduled search, every night (or a different frequency) e.g.:

your_search
| dedup host
| table host ip

after you can use it

index=a threat=critical vulnerability=high 
| lookup hostnames.csv ip OUTPUT host
| table ip host a b c

Bye.
Giuseppe

How do I add a host name from another index to a scheduled report which has a table from other index?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!