https://community.splunk.com/t5/Splunk-Search/Lookup-Table-Comparison-with-field-and-to-return-field-value/m-p/534528#M151055 <P>Sadly it did not work, any IP i put in for field3 (whether in the whitelist or not) displayed in a table with value of "Yes" for InWhitelist&nbsp;</P><P>Also field4 that holds the hostname does not carry over to the table&nbsp;</P><P>&nbsp;</P> Wed, 30 Dec 2020 22:48:16 GMT peetchow 2020-12-30T22:48:16Z https://community.splunk.com/t5/Splunk-Search/Lookup-Table-Comparison-with-field-and-to-return-field-value/m-p/532860#M150536 <P>All,</P><P>I know there are a lot of postings with answers on lookup tables but I am still stuck.&nbsp; I have not splunked in a few years and i hit a wall even when looking back at some of my old saved strings.</P><P>I have a csv file that has 2 columns.&nbsp; One that contains IPAddress and the other that has SubnetMasks</P><P>I am searching in my logs for IPAdresses that i want to compare with the IPAddresses that are in the lookup csv file.&nbsp; if the IPAddresses are not found ... then display them in a table.</P><P>MY query is as follows:</P><P><EM>index=blah&nbsp; field3="*" | fields field3 field4 | dedup field3 | rename field3 as Source_IP | lookup ip_whitelist IPAddress AS Source_IP | eval InWhitelist="Yes" | table Source_IP IPAddress field4 InWhitelist | where InWhitelist="Yes" | sort -Source_IP</EM></P><UL><LI>where field3 is the field with the IP Addresses (extracted from delimited extractions)</LI><LI>where field4 is the field that has the hostname</LI></UL><P>This spits out a nice table but i notice IPs that are not in my whitelist are showing up.</P><P>What is wrong here !?&nbsp;</P><P>Your help is greatly appreciated !&nbsp;</P><P>Thanks</P><P>P</P> Fri, 11 Dec 2020 19:18:10 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-Table-Comparison-with-field-and-to-return-field-value/m-p/532860#M150536 peetchow 2020-12-11T19:18:10Z https://community.splunk.com/t5/Splunk-Search/Lookup-Table-Comparison-with-field-and-to-return-field-value/m-p/533660#M150803 <P>This may help...</P><P>Below will search in the lookup and pull the results when the ip is not available in lookup.</P><P>| makeresults | eval field3="192.168.1.6", field4="hostname" | fields field3 field4 | dedup field3 | rename field3 as Source_IP | lookup <EM>ip_whitelist<SPAN>&nbsp;</SPAN></EM> IPAddresses AS Source_IP | eval InWhitelist=if(isnull(SubnetMasks),"Yes","No") | table Source_IP field4 InWhitelist SubnetMasks | where InWhitelist="Yes"</P> Sat, 19 Dec 2020 19:19:57 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-Table-Comparison-with-field-and-to-return-field-value/m-p/533660#M150803 saravanan90 2020-12-19T19:19:57Z https://community.splunk.com/t5/Splunk-Search/Lookup-Table-Comparison-with-field-and-to-return-field-value/m-p/534528#M151055 <P>Sadly it did not work, any IP i put in for field3 (whether in the whitelist or not) displayed in a table with value of "Yes" for InWhitelist&nbsp;</P><P>Also field4 that holds the hostname does not carry over to the table&nbsp;</P><P>&nbsp;</P> Wed, 30 Dec 2020 22:48:16 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-Table-Comparison-with-field-and-to-return-field-value/m-p/534528#M151055 peetchow 2020-12-30T22:48:16Z