Problem:
i have 200000 splunk events from which i only want 15000 events ( like vlookup in excel)
Splunk events contain(200000 hosts ) : host version kernel
lookuptable contain (15000 hosts): host window
i only want result for the host listed in lookup table(15000)
i tried using join but it truncates the result .
Query : | inputlookup "host.csv" | rename HOST as host | join host [search index=server_info platform=redhat message="SYSINFO*" host="*" ] | table host version kernel window | where window != " "
↧