Solved: Can you help to match events with an inputlookup s...

jip31 · ‎02-25-2019

Hi,

I use the basic query below in order to collect the model of a host (workstation)

index="xx" sourcetype="WMI:Model" | table host Model

In parallel, I have a CSV file called "cmdb" where there is a field called "HOSTNAME", which refers to the field "host" in my search

I want to match these 2 fields (host and HOSTNAME) in order to collect in a same table the host, the Model and other fields of my CSV file like CLIENT_USER COUNTRY STATUS ROOM SITE & TOWN

Could you help me please??

chrisyounger · ‎02-25-2019

Try this: index="xx" sourcetype="WMI:Model" |fields host Model | lookup cmdb HOSTNAME as host OUTPUTNEW | table *

View solution in original post

chrisyounger · ‎02-25-2019

Try this: index="xx" sourcetype="WMI:Model" |fields host Model | lookup cmdb HOSTNAME as host OUTPUTNEW | table *

avoelk · ‎01-04-2023

I know this answer is pretty old but, does this kind of lookup match command work within tstats or how would I need to re arrange it?

jip31 · ‎02-25-2019

perfect thanks

Can you help to match events with an inputlookup search?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life