https://community.splunk.com/t5/Splunk-Search/search-on-each-lookup-event/m-p/342751#M101534 <P>@samhodgson did you had any luck with that or do you need any further help?</P> Mon, 06 Nov 2017 08:46:44 GMT horsefez 2017-11-06T08:46:44Z https://community.splunk.com/t5/Splunk-Search/search-on-each-lookup-event/m-p/342745#M101528 <P>Hi All,</P> <P>I have a lookup containing username,hostname and I also have an assets index storing hostname, mac, ip. Im trying to merge data from the 2 to generate an up-to-date assets lookup for Enterprise Security. So something that will iterate all entries in the lookup and search against the assets index using hostname. </P> <P>Im not sure how to best go about this, should I be using a subsearch or join or something else? please advise, i've tried playing around with subsearches to no avail so far.</P> <P>Any help would be greatly appreciated.</P> <P>Cheers</P> <P>Sam</P> Fri, 03 Nov 2017 11:21:33 GMT https://community.splunk.com/t5/Splunk-Search/search-on-each-lookup-event/m-p/342745#M101528 samhodgson 2017-11-03T11:21:33Z https://community.splunk.com/t5/Splunk-Search/search-on-each-lookup-event/m-p/342746#M101529 <P>Hi, </P> <P>how about a lookup command to merge them together?</P> <PRE><CODE>| lookup yourcsv hostname OUTPUT username </CODE></PRE> <P>After that you can pipe your results into a new csv file via <CODE>outputcsv</CODE></P> Fri, 03 Nov 2017 12:39:17 GMT https://community.splunk.com/t5/Splunk-Search/search-on-each-lookup-event/m-p/342746#M101529 horsefez 2017-11-03T12:39:17Z https://community.splunk.com/t5/Splunk-Search/search-on-each-lookup-event/m-p/342747#M101530 <P>Hi,</P> <P>Thanks for your reply. This is what im looking to do but i need to merge data from the assets index into the output too so something like:</P> <P>inputlookup hosts | [index=assets | table hostname,mac,ip] | [ get mac,ip here from search using hostnames from inputlookup] | output username, hostname, mac ip</P> <P>Hope this makes sense?</P> <P>Cheers</P> <P>Sam</P> Fri, 03 Nov 2017 12:55:26 GMT https://community.splunk.com/t5/Splunk-Search/search-on-each-lookup-event/m-p/342747#M101530 samhodgson 2017-11-03T12:55:26Z https://community.splunk.com/t5/Splunk-Search/search-on-each-lookup-event/m-p/342748#M101531 <P>Hi Sam, <BR /> no it really doesn't make much sense, but I'm trying to suggest something.</P> <PRE><CODE>index=assets | fields hostname, mac, ip | lookup yourlookupcsv hostname OUTPUT username | table username, hostname, mac, ip </CODE></PRE> Fri, 03 Nov 2017 13:01:58 GMT https://community.splunk.com/t5/Splunk-Search/search-on-each-lookup-event/m-p/342748#M101531 horsefez 2017-11-03T13:01:58Z https://community.splunk.com/t5/Splunk-Search/search-on-each-lookup-event/m-p/342749#M101532 <P>Hi Pyro,</P> <P>I think this might be close to what I want! it isn't quite working yet but will play around with it, many thanks I think this may have put me on the right track. Will let you know how i get on.</P> <P>Cheers</P> <P>Sam</P> Fri, 03 Nov 2017 13:13:29 GMT https://community.splunk.com/t5/Splunk-Search/search-on-each-lookup-event/m-p/342749#M101532 samhodgson 2017-11-03T13:13:29Z https://community.splunk.com/t5/Splunk-Search/search-on-each-lookup-event/m-p/342750#M101533 <P>Good luck on that. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 03 Nov 2017 13:18:52 GMT https://community.splunk.com/t5/Splunk-Search/search-on-each-lookup-event/m-p/342750#M101533 horsefez 2017-11-03T13:18:52Z https://community.splunk.com/t5/Splunk-Search/search-on-each-lookup-event/m-p/342751#M101534 <P>@samhodgson did you had any luck with that or do you need any further help?</P> Mon, 06 Nov 2017 08:46:44 GMT https://community.splunk.com/t5/Splunk-Search/search-on-each-lookup-event/m-p/342751#M101534 horsefez 2017-11-06T08:46:44Z https://community.splunk.com/t5/Splunk-Search/search-on-each-lookup-event/m-p/342752#M101535 <P>Hi Pyro,</P> <P>Thanks for coming back to me on this - i've just got back into the office today and managed to get it working <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Thanks for your help!</P> <P>Sam</P> Tue, 07 Nov 2017 14:37:04 GMT https://community.splunk.com/t5/Splunk-Search/search-on-each-lookup-event/m-p/342752#M101535 samhodgson 2017-11-07T14:37:04Z