Hi
I use actually the search below in order to doing a match between a search and a workstation name (host)
eventtype=Charge AND (host=toto OR host=tata OR host=titi)
But I have a huge list of host so I have to find another solution
I tried this but I have no results
eventtype=Charge AND index=”tutu” sourcetype="tete" “$IND$”
“$IND$” is a flag that I can find in host=toto OR host=tata OR host=titi in order to identify these machines
It's strange because when I m just doing index=”tutu” sourcetype="tete" “$IND$”
, it returns me the good host list
What is the issue please?
So I planned to do something like this :
eventtype=Charge [|inputlookup host.csv]
OR
eventtype=Charge
| join host type="outer"
[ search index=”tutu” sourcetype="tete" “$IND$”]
What is the best way to do what I want?
Is there other solutions
Thanks for you help
eventtype=Charge AND index=”tutu” sourcetype="tete" “$IND$”
is not using a subsearch, you're just adding extra search criteria.
Try: eventtype=Charge [ search index=”tutu” sourcetype="tete" “$IND$”| stats count by host | table host ]
See also: https://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches
eventtype=Charge AND index=”tutu” sourcetype="tete" “$IND$”
is not using a subsearch, you're just adding extra search criteria.
Try: eventtype=Charge [ search index=”tutu” sourcetype="tete" “$IND$”| stats count by host | table host ]
See also: https://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches