I've got an inventory list, which greatly simplified looks like below and made it available to splunk as a lookup table.
host,os_type
m00001,linux
m00002,linux
m00003,linux
What I want to do is list the number of records against the inventory, including where the count is 0. The query below uses an outer join and works but for anything longer than a few minutes I get
[subsearch]: Search auto-finalized after time limit (60 seconds) reached.
To be of value the count, i.e. inner query, would need to run for relatively long periods, say 1 day.
| inputlookup server_list
| fields host
| join type=outer host [ search index=some_index | stats count by host ]
| fillnull value=0 count
I pondered using metadata but both metadata and inputlookup need to be the first command so that seems to be a non-starter.
I can use the REST API and get the desired result by effectively doing the outer join outside Splunk but I wonder what other options exist. I am probably not able to increase the subquery auto-finalize limit.