Hello,
I'm having a little trouble solving this one.
I managed to extract all hosts in Splunk in a table with events counted by path with the following search :
search index=*
| rex field=source "(?.*\\\)"
| rex field=source "(?.*\/)"
| chart count over file_path by host limit=0
| fields - source
In the other hand, I have a full inventory of our network in a csv file.
I would like to be able to filter Splunk hosts by Location (this Location field is present in the full inventory csv).
I believe that I have to use the Lookup command but I can't find out how to use it. (Both the csv and the search table have a hostname field)
The Splunk query above gives a table like this :
------------+-------+-------+-------+-----+
| Path1 | Path2 | Path3 | ... |
------------+-------+-------+-------+-----+
Host_1 | 100 | 0 | 200 | ... |
Host_2 | 250 | 1200 | 2 | ... |
Host_3 | 0 | 10 | 0 | ... |
------------+-------+-------+-------+-----+
And I would like to add a Location column with information from the CSV to look like this :
------------+--------+-------+-------+-------+-----+
|Location| Path1 | Path2 | Path3 | ... |
------------+--------+-------+-------+-------+-----+
Host_1 | USA | 100 | 0 | 200 | ... |
Host_2 | U.K | 250 | 1200 | 2 | ... |
Host_3 | USA | 0 | 10 | 0 | ... |
------------+--------+-------+-------+-------+-----+
Thank you for your help !
↧