Re: How to table list of values from lookup NOT fo...

_gkollias · ‎08-03-2015

I have a lookup that lists x number of values. I would like to be able to discover how many of those aren't actually logged in Splunk and table them. Initially, I tried something like this:

inputlookup lookup_values.csv  NOT [search index=contract_gateway sourcetype=esb_audit bp_bp_name=* | fields *]
| table values
| dedup values

I am not getting any results, but I know I am missing results by the count of results I see when I pull all data that I can find in Splunk for that list of values.

Any insights on query enhancements would be greatly appreciated.

Thanks in Advance

woodcock · ‎08-03-2015

Let us assume both sets of data share a field called host, then do it like this:

index=contract_gateway sourcetype=esb_audit bp_bp_name=* | eval type=events
| appendpipe [|inputlookup lookup_values.csv | eval type=lookup]
| stats dc(type) AS numTypes values(*) AS * BY host
| where numTypes=1 AND type=events

_gkollias · ‎08-03-2015

Thanks, Woodcock

I attempted to run the search, however it's running extremely slow and I'm afraid of sucking the memory out of the indexer :). The values I am looking for are spread across a 120 day time range, so essentially I am running the query over "All time".

I'll try and come up with something similar to help with its performance.

woodcock · ‎08-03-2015

I don't think there is much opportunity for optimization, unfortunately, but this approach should definitely work.

How to table list of values from lookup NOT found in Splunk?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases