1

Build group of hosts useing a Lookup

Hi,

I am newbie at splunk and uberAgent.

I'm looking for tip how to create lookup csv file which would work with uberAgent. Every similarly case i found there end up with suggestion to use filter or users choose filters by them self. In our case easiest way is create csv lookup(based at what I found at google)  and use it. But how we can create it based at uberAgent data. What I need it's first line of csv and I will fill the rest with data I need.

PS If something unclear I will be happy to explain.

11 comments

  • Avatar
    Dominik Britz Official comment

    Hi Witold,

    You can use the command | outputlookup YourLookupNameHere to create a lookup file. 

    Please have a look at uberAgent's savedsearches.conf file for examples. We create lookups based on searches there. It can be found in $SPLUNK_HOME\etc\apps\uberAgent\default.

    The first line will be the field names you are piping to outputlookup. To give you an example: | fields ProcName LastSeen | outputlookup lookup_processstartup_processlist will create the lookup file lookup_processstartup_processlist.csv with the first line ProcName,LastSeen.

  • 0
    Avatar
    Witold

    Hi Dominik,

    So let me be sure. We can create search which  show us data from 10 hosts. Next we add ad the end "| outputlookup YourLookupNameHere" and execute search one more time.

    And after that we have lookup which we can use to show data from this 10 machines ?

    It's that right ?

  • 0
    Avatar
    Dominik Britz

    Yes, that is correct.

    If you give us more details about the criteria whether a host should be included in that lookup, like all host starting with "CTX" or similar, we could also suggest possible alternatives to using a lookup. 

  • 0
    Avatar
    Witold

    We have many situation like tests of new application which we implements at our environment. So before we push it to all computers we make test at 10-20 machines. We don't have define that "only this machines are for test" so some times it could be this 10 computer and next time it could be 10 different machines.

    So what i think could work. We could serarch all data from 10 machins:
    host_name in (host1,host2,host3,....,host10) | outputlookup test_of_winamp

    And then we can use test_of_winamp.csv to presents data from this 10 hosts at uberAgent dashboards.

  • 0
    Avatar
    Dominik Britz

    Filtering the default uberAgent dashboards by a custom lookup would not work, unfortunately. You have to create custom dashboards for that.

    Note that in the upcoming version "in" will replace "is" as a search operator for strings. With that, you could paste the names of your ten hosts in the default uberAgent dashboards. Here is what it will look like: 

    Another option would be to use a dedicated Active Directory Organisational Unit for the hosts and use uberAgent's OU filter.

    Would one of these options work for you?

  • 0
    Avatar
    Witold

    Oh. It's not exactly what I need. I based my thoughts on this article :
    https://support.uberagent.com/hc/en-us/articles/203440251-How-to-Separate-Data-from-Different-Types-of-Machines 

    So there is no chances to presents at default dashboards data from limited amount of machines. What I want to achieve is I log-in to splunk go to uberAgent choose something and looking at data from only this 10 computers.

  • 0
    Avatar
    Dominik Britz

    If none of our default filters or the explanations in the article you linked suit your needs, the answer is unfortunately no.

    What we have on our roadmap is a tagging feature, where you can filter hosts by different tags. Think of a registry key uberAgent reads where you store something like "Test Host". I think this would help, but is not yet implemented.

  • 0
    Avatar
    Witold

    Ok, so last question from me. When we can expect new version whit "in" instead of "is" ?

  • 1
    Avatar
    Dominik Britz

    If all goes well, today :-)

  • 0
    Avatar
    Dominik Britz
  • 0
    Avatar
    Witold

    Thanks for info.

Please sign in to leave a comment.