Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to match a lookup and a search over an index?

pstamati
Path Finder
‎11-13-2019 10:25 AM

I have a lookup table with all active server names and I want to validate which servers on this lists are running a specific agent. I have what servers with this agent status on a different index.

The desired output would be to use the lookup table as input and use the common field dns Name to see which entries in the lookup as a match in the index. Is there any way to do this?
Initially I though creating another lookup with the results of the search in this index and compared then lookup and lookup, but was wondering if there is any way to avoid creating the 2nd lookup table.

Thanks in advance for any help you can provide.

0 Karma
Reply

woodcock
Esteemed Legend
‎11-14-2019 05:33 PM

Like this:

 index=foo [ | inputlookup servers.csv | fields dnsName | format ]
| eval which="DATA"
| inputlookup append=t servers.csv
| eval which=coalesce(which, "LOOKUP")
| stats values(*) AS * dc(which) AS which_count BY dnsName

Now, those which have which_count==2 are in both and those which have which_count==1 are in one but not the other, as noted by the value of which.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-13-2019 10:42 AM

You should be able to do that with inputlookup in a subsearch.

index=foo [ | inputlookup servers.csv | fields dnsName | format ]
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

pstamati
Path Finder
‎11-13-2019 11:08 AM

Hey, thanks for your reply. Let's say my universe of devices is in the lookup, and then a portion of those servers are running an specific agent that is sending its status to Index=agent_status, so I want to run a report to understand from the population of servers in the lookup table, which of those have the agent and in what status.

I tried what you suggested, although I'm not sure is doing what I'm looking for,

0 Karma
Reply

pstamati
Path Finder
‎11-13-2019 11:11 AM

For instance how can you validate which server names are in the lookup but not in the index?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-13-2019 01:12 PM

My answer returns events from the 'foo' index that have a dnsName value present in the servers.csv lookup file.
To find servers not in the index, use NOT.

index=agent_status NOT [ | inputlookup servers.csv | fields dnsName | format ]

I don't have enough information to tell you how to get the specific agent information, but I hope this gets you headed in the right direction.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...