Getting Data In

Automatic lookup to match hostnames with and without FQDN

3DGjos
Communicator

Hello, I need to generate an automatic lookup to match certain hosts for a project i'm working on.

the thing is, I have a list of server in my scope, but this list contains sometimes only hostnames, and other times the full FQDN, and that may differ from what I have on my host field on splunk metadata.

example of the csv:

"host" ,"description"
host1, dboraclehost1
host2, dboraclehost2
host3.mydomain.net, dboraclehost3
host4, "host4"
host5.dathost,net, "thehost5"

and in splunk, on my host field I may have:
host1.mydomain.net
host5
host3
host4,thedomain.com

If that can be achievable via UI would be the best, but I can still do it with the .conf files.

best regards!

0 Karma
1 Solution

nickhills
Ultra Champion

You need your lookup to contain the wildcard (and in the correct place) so your lookup needs to look like this:

host, description
host1*, dboraclehost1
host2*, dboraclehost2
host3*, dboraclehost3
host4*, host4description
host5*, host5description

Then you need to create a lookup definition. You can do this via the UI
Give it a name, and select file-based and select your lookup.csv
- make sure to tick advanced options, and specify WILDCARD(host) under match type.

You can then search like:
<your search>|lookup host_description_definition host OUTPUT description

And make it automatic if you wish

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

nickhills
Ultra Champion

You need your lookup to contain the wildcard (and in the correct place) so your lookup needs to look like this:

host, description
host1*, dboraclehost1
host2*, dboraclehost2
host3*, dboraclehost3
host4*, host4description
host5*, host5description

Then you need to create a lookup definition. You can do this via the UI
Give it a name, and select file-based and select your lookup.csv
- make sure to tick advanced options, and specify WILDCARD(host) under match type.

You can then search like:
<your search>|lookup host_description_definition host OUTPUT description

And make it automatic if you wish

If my comment helps, please give it a thumbs up!
0 Karma

3DGjos
Communicator

thanks, I also made a report which formats the hostnames to hostname*

this includes hosts which cannot be resolved, ill host the query in case someone needs something similar:

(this works only if a previous unformatted lookup is present. this report formats it)

#lookup filler hosts
| inputlookup preliminar_hosts.csv
| rex field=host "(?<host>\d{1,}\.\d{1,}\.\d{1,}\.\d{1,}|[^.]+)"  
| eval host=(host + "*"), is_in_scope=1
| outputlookup processed_hosts.csv

then with processed_hosts.csv, I made an automatic lookup which delivers the description and is_in_scope fields for every match.

thanks a lot!!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...