- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Automatic lookup to match hostnames with and w...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I need to generate an automatic lookup to match certain hosts for a project i'm working on.
the thing is, I have a list of server in my scope, but this list contains sometimes only hostnames, and other times the full FQDN, and that may differ from what I have on my host field on splunk metadata.
example of the csv:
"host" ,"description"
host1, dboraclehost1
host2, dboraclehost2
host3.mydomain.net, dboraclehost3
host4, "host4"
host5.dathost,net, "thehost5"
and in splunk, on my host field I may have:
host1.mydomain.net
host5
host3
host4,thedomain.com
If that can be achievable via UI would be the best, but I can still do it with the .conf files.
best regards!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need your lookup to contain the wildcard (and in the correct place) so your lookup needs to look like this:
host, description
host1*, dboraclehost1
host2*, dboraclehost2
host3*, dboraclehost3
host4*, host4description
host5*, host5description
Then you need to create a lookup definition. You can do this via the UI
Give it a name, and select file-based and select your lookup.csv
- make sure to tick advanced options, and specify WILDCARD(host) under match type.
You can then search like:
<your search>|lookup host_description_definition host OUTPUT description
And make it automatic if you wish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need your lookup to contain the wildcard (and in the correct place) so your lookup needs to look like this:
host, description
host1*, dboraclehost1
host2*, dboraclehost2
host3*, dboraclehost3
host4*, host4description
host5*, host5description
Then you need to create a lookup definition. You can do this via the UI
Give it a name, and select file-based and select your lookup.csv
- make sure to tick advanced options, and specify WILDCARD(host) under match type.
You can then search like:
<your search>|lookup host_description_definition host OUTPUT description
And make it automatic if you wish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks, I also made a report which formats the hostnames to hostname*
this includes hosts which cannot be resolved, ill host the query in case someone needs something similar:
(this works only if a previous unformatted lookup is present. this report formats it)
#lookup filler hosts
| inputlookup preliminar_hosts.csv
| rex field=host "(?<host>\d{1,}\.\d{1,}\.\d{1,}\.\d{1,}|[^.]+)"
| eval host=(host + "*"), is_in_scope=1
| outputlookup processed_hosts.csv
then with processed_hosts.csv, I made an automatic lookup which delivers the description and is_in_scope fields for every match.
thanks a lot!!
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
