I have this search where the splunk_check_hostnames.csv is a single column of hostnames with hostname as the header.
index=_internal sourcetype=splunkd earliest=-24h
[| inputlookup splunk_check_hostnames.csv]
| stats count by hostname, version, os
It works nicely. I'm trying to figure out how to do the below search without having to use a second lookup with the header being host.
index=os_* sourcetype=linux_secure OR source=WinEventLog:Security earliest=-24h
[| inputlookup splunk_check_hostnames.csv]
| stats count by host, index, sourcetype
Any thoughts?
TIA,
Joe
index=os_* sourcetype=linux_secure OR source=WinEventLog:Security earliest=-24h
[| inputlookup splunk_check_hostnames.csv | rename hostname as host]
| stats count by host, index, sourcetype
What is it that you are trying to achieve, particularly, with (or without) the lookup?
My plan is to put 2 searches into a dashboard that output the information requested for a security audit. Each panel would be the associated search. Thus the first search would have
hostname version os count
hostname_1 8.0.1 Linux 18511
hostname_2 7.2.4 Windows 18609
...
hostname_n 8.0.1 Linux 18579
The second would have
host index sourcetype count
hostname_1 os_nix linux_secure 5208
hostname_2 os_windows WinEventLog 10020
...
hostname_3 os_nix linux_secure 748
Joe
So what is the question? Are you trying to avoid using the lookup in the second panel, even though it is required to filter the hosts?
That is my question. The data is the same except for the header needed. The first search requires hostname and the second search requires host. I'm trying to use the same csv file for both.
index=os_* sourcetype=linux_secure OR source=WinEventLog:Security earliest=-24h
[| inputlookup splunk_check_hostnames.csv | rename hostname as host]
| stats count by host, index, sourcetype
Thanks. I thought I tried that yesterday. I must have had a typo. Thanks again. Answer accepted.