https://community.splunk.com/t5/Splunk-Search/Using-a-subsearch-in-a-lookup/m-p/548812#M155702 <P>Doh!&nbsp; There are times when I forget how Splunk works and try treating it like a programming language.</P> Wed, 21 Apr 2021 15:04:11 GMT jwhughes58 2021-04-21T15:04:11Z https://community.splunk.com/t5/Splunk-Search/Using-a-subsearch-in-a-lookup/m-p/548690#M155662 <P>I've got two searches I'm trying to join into one.</P><P>&nbsp;</P><LI-CODE lang="markup">| localop | ldapsearch domain=my_domain search="(&amp;(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=xxxx))" | table cn, dNSHostName</LI-CODE><P>&nbsp;</P><P>And</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval fqdn="www.usatoday.com" | lookup dnslookup clienthost AS fqdn OUTPUT clientip as ip</LI-CODE><P>&nbsp;</P><P>What I would like is a table that has hostname, FQDN, and IP Address.&nbsp; I've tried various subsearch methods to join them, but I must have something off since I either get an error or nothing.&nbsp; Any thoughts?</P><P>TIA,</P><P>Joe</P> Tue, 20 Apr 2021 21:29:13 GMT https://community.splunk.com/t5/Splunk-Search/Using-a-subsearch-in-a-lookup/m-p/548690#M155662 jwhughes58 2021-04-20T21:29:13Z https://community.splunk.com/t5/Splunk-Search/Using-a-subsearch-in-a-lookup/m-p/548692#M155663 <P>&nbsp;</P><LI-CODE lang="markup">| localop | ldapsearch domain=my_domain search="(&amp;(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=xxxx))" | table cn, dNSHostName | append [ | makeresults | eval fqdn="www.usatoday.com" | lookup dnslookup clienthost AS fqdn OUTPUT clientip as ip ] | stats values(*) as *</LI-CODE><P>or assuming that the cn is the fqdn, then this</P><LI-CODE lang="markup">| localop | ldapsearch domain=my_domain search="(&amp;(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=xxxx))" | table cn, dNSHostName | append [ | makeresults | eval fqdn="www.usatoday.com" | lookup dnslookup clienthost AS fqdn OUTPUT clientip as ip | rename fqdn as cn ] | stats values(*) as * by cn</LI-CODE> Tue, 20 Apr 2021 22:46:22 GMT https://community.splunk.com/t5/Splunk-Search/Using-a-subsearch-in-a-lookup/m-p/548692#M155663 bowesmana 2021-04-20T22:46:22Z https://community.splunk.com/t5/Splunk-Search/Using-a-subsearch-in-a-lookup/m-p/548723#M155672 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/172955">@jwhughes58</a>,</P><P>You can simply add dnslookup into your first search. There is no need subsearch;</P><LI-CODE lang="markup">| localop | ldapsearch domain=my_domain search="(&amp;(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=xxxx))" | lookup dnslookup clienthost AS dNSHostName OUTPUT clientip as ip | table cn, dNSHostName, ip</LI-CODE> Wed, 21 Apr 2021 05:56:05 GMT https://community.splunk.com/t5/Splunk-Search/Using-a-subsearch-in-a-lookup/m-p/548723#M155672 scelikok 2021-04-21T05:56:05Z https://community.splunk.com/t5/Splunk-Search/Using-a-subsearch-in-a-lookup/m-p/548812#M155702 <P>Doh!&nbsp; There are times when I forget how Splunk works and try treating it like a programming language.</P> Wed, 21 Apr 2021 15:04:11 GMT https://community.splunk.com/t5/Splunk-Search/Using-a-subsearch-in-a-lookup/m-p/548812#M155702 jwhughes58 2021-04-21T15:04:11Z https://community.splunk.com/t5/Splunk-Search/Using-a-subsearch-in-a-lookup/m-p/548813#M155703 <P>I see I explained my question badly bowesmana.&nbsp; I was going to update it today with a better explanation, but scelikok answered it.&nbsp; Thanks for the reply.</P> Wed, 21 Apr 2021 15:06:54 GMT https://community.splunk.com/t5/Splunk-Search/Using-a-subsearch-in-a-lookup/m-p/548813#M155703 jwhughes58 2021-04-21T15:06:54Z