inputlookup to match a field value using a variable

omun0z — Wed, 24 Feb 2021 03:06:47 GMT

Hello Splunk team, I'm trying to append columns based in a search of a field (Network = Network_CIDR) in Ashland-Networks-EAs.csv , Network_CIDR is a variable, but I don't get any match, not sure why.

sourcetype=ib:ipam:network index=ib_ipam | eval Network_CIDR=address."/".cidr | search view = "Ashland" | eval utilization=round(utilization, 1) | eval allocation=round(allocation, 1) | sort address | rename timestamp as Timestamp, view as "Network View", address as Network, cidr as CIDR, utilization as "DHCPv4 Utilization %", address_total as Total, address_alloc as Allocated, address_reserved as Reserved, address_assigned as Assigned, protocol as Protocol, allocation as "Utilization %", address_unmanaged as Unmanaged | table Timestamp, "Network View", Network, CIDR, Total, Allocated, Reserved, Assigned, Protocol, "Utilization %", Unmanaged, Network_CIDR | appendcols [|inputlookup Ashland-Networks-EAs.csv where (Network = Network_CIDR) | table Site_ID_DDI, Region_DDI, Country_DDI, City_DDI, Comment]

I have changed "where" option by "search" option in the appendcols part, but also is not matching any valuae and I get blank values in the columns added.

sourcetype=ib:ipam:network index=ib_ipam | eval Network_CIDR=address."/".cidr | search view = "Ashland" | eval utilization=round(utilization, 1) | eval allocation=round(allocation, 1) | sort address | rename timestamp as Timestamp, view as "Network View", address as Network, cidr as CIDR, utilization as "DHCPv4 Utilization %", address_total as Total, address_alloc as Allocated, address_reserved as Reserved, address_assigned as Assigned, protocol as Protocol, allocation as "Utilization %", address_unmanaged as Unmanaged, Network_CIDR| table Timestamp, "Network View", Network, CIDR, Total, Allocated, Reserved, Assigned, Protocol, "Utilization %", Unmanaged, Network_CIDR | appendcols [|inputlookup Ashland-Networks-EAs.csv | search Network = Network_CIDR | rename Network as "Network/Mask" | table Network/Mask, Site_ID_DDI, Region_DDI, CountryDDI, City_DDI, Comment]

Basically I want to add new cols from Ashland-Networks-EAs.csv at the end of each row that match with the Network field.

If I do the below search on Ashland-Networks-EAs.csv, I can get the info for 10.168.135.0/24.

|inputlookup Ashland-Networks-EAs.csv |search Network = 10.168.135.0/24| fields Network, Site_ID_DDI, Region_DDI, Country_DDI, City_DDI

Maybe this is not the correct way to do what I want to do, but Thanks in advance for your help.

Omar.

Re: inputlookup to match a field value using a variable

manjunathmeti — Wed, 24 Feb 2021 05:07:38 GMT

CHeck this: https://community.splunk.com/t5/Splunk-Search/Using-CIDR-in-a-lookup-table/m-p/35792#M7873

Re: inputlookup to match a field value using a variable

omun0z — Wed, 24 Feb 2021 16:23:38 GMT

Thanks manjunathmeti for your response, but basically I want to treat the Network/CIDR as a text string, think I don't need to use cdirmatch function. But, maybe I need to do this in a different way.. Is there a way I can set an eval myVariable=[|inputlookup Ashland-Networks-EAs.csv where (Network = Network_CIDR) | table Site_ID_DDI, Region_DDI, Country_DDI, City_DDI, Comment] and add myVariable at the end in the table?

Thanks in davance for your help.

Omar.

topic inputlookup to match a field value using a variable in Splunk Search

inputlookup to match a field value using a variable

Re: inputlookup to match a field value using a variable

Re: inputlookup to match a field value using a variable