Re: subtract csv results by metadata source

gnoellbn · ‎01-10-2014

I'm trying to subtract the list of host contains in my csv file in field "clients_supprimes" to results of host not reporting to Splunk through a search in the metadata.

So normally I would do something like this :

| metadata hosts NOT [search source="/opt/splunk/sources_manuelles/suppression_client.csv" | table clients_supprimes] | ...

But that doesn't work, same thing if I put the search before the first pipe because metadata has to be first in the search.

Would you have any idea ?

donnymcbride · ‎03-03-2014

What is the typo? What is the correct search that works?

somesoni2 · ‎01-10-2014

Try following

|metadata type=hosts index=* | search NOT [search source="/opt/splunk/sources_manuelles/suppression_client.csv" | table clients_supprimes | rename clients_supprimes as host]

Also, if the file suppression_client.csv is static and doesn't change often, consider making it as lookup table file.

donnymcbride · ‎03-03-2014

Please identify typo and the search that is correct and works

somesoni2 · ‎01-10-2014

Sorry there was a typo. Corrected it. Its seems to be working fine for me (tested with a csv file of my own).

When you want to run the subsearch standalone, you don't need the keyword "search" to be prefixed. Its only required when using subsearch.

gnoellbn · ‎01-10-2014

It doesn't seem to work, it seems like it's because of the "[search". It returns "No matching field exist"
If I do a standalone search I need to remove it for it to work but if I do in the subsearch it gives me an error.

subtract csv results by metadata source

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!