Dears,
I'm trying to use the lookup for Splunk to read a file and tell me if I'm collecting the logs to the host of that file.
What I need: Check if I'm getting logs from hosts that are in a csv.
I am using the following query:
index = main OR index = client * | stats count by host | lookup client_sys hostname AS host
I also tried using the inputlookup command, but it did not work:
index = main OR index = client * NOT [| inputlookup client_sys.csv | fields host]
Is there any other way to do this?
Thanks a lot.
↧