I have a lookup table with all active server names and I want to validate which servers on this lists are running a specific agent. I have what servers with this agent status on a different index.
The desired output would be to use the lookup table as input and use the common field dns Name to see which entries in the lookup as a match in the index. Is there any way to do this?
Initially I though creating another lookup with the results of the search in this index and compared then lookup and lookup, but was wondering if there is any way to avoid creating the 2nd lookup table.
Thanks in advance for any help you can provide.
Like this:
index=foo [ | inputlookup servers.csv | fields dnsName | format ]
| eval which="DATA"
| inputlookup append=t servers.csv
| eval which=coalesce(which, "LOOKUP")
| stats values(*) AS * dc(which) AS which_count BY dnsName
Now, those which have which_count==2
are in both and those which have which_count==1
are in one but not the other, as noted by the value of which
.
You should be able to do that with inputlookup
in a subsearch.
index=foo [ | inputlookup servers.csv | fields dnsName | format ]
Hey, thanks for your reply. Let's say my universe of devices is in the lookup, and then a portion of those servers are running an specific agent that is sending its status to Index=agent_status, so I want to run a report to understand from the population of servers in the lookup table, which of those have the agent and in what status.
I tried what you suggested, although I'm not sure is doing what I'm looking for,
For instance how can you validate which server names are in the lookup but not in the index?
My answer returns events from the 'foo' index that have a dnsName value present in the servers.csv lookup file.
To find servers not in the index, use NOT
.
index=agent_status NOT [ | inputlookup servers.csv | fields dnsName | format ]
I don't have enough information to tell you how to get the specific agent information, but I hope this gets you headed in the right direction.