Re: subtract csv results by metadata source

gnoellbn · ‎01-10-2014

I'm trying to subtract the list of host contains in my csv file in field "clients_supprimes" to results of host not reporting to Splunk through a search in the metadata.

So normally I would do something like this :

| metadata hosts NOT [search source="/opt/splunk/sources_manuelles/suppression_client.csv" | table clients_supprimes] | ...

But that doesn't work, same thing if I put the search before the first pipe because metadata has to be first in the search.

Would you have any idea ?

donnymcbride · ‎03-03-2014

What is the typo? What is the correct search that works?

somesoni2 · ‎01-10-2014

Try following

|metadata type=hosts index=* | search NOT [search source="/opt/splunk/sources_manuelles/suppression_client.csv" | table clients_supprimes | rename clients_supprimes as host]

Also, if the file suppression_client.csv is static and doesn't change often, consider making it as lookup table file.

donnymcbride · ‎03-03-2014

Please identify typo and the search that is correct and works

somesoni2 · ‎01-10-2014

Sorry there was a typo. Corrected it. Its seems to be working fine for me (tested with a csv file of my own).

When you want to run the subsearch standalone, you don't need the keyword "search" to be prefixed. Its only required when using subsearch.

gnoellbn · ‎01-10-2014

It doesn't seem to work, it seems like it's because of the "[search". It returns "No matching field exist"
If I do a standalone search I need to remove it for it to work but if I do in the subsearch it gives me an error.

subtract csv results by metadata source

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases