topic Re: How do I use the data from lookup table column as search on live index? in Splunk Search

How do I use the data from lookup table column as search on live index?

socks — Thu, 10 Mar 2022 23:06:28 GMT

I just built my first lookup table, because I have a csv of about 200 servers with the in different ip spaces and I need to perform 2 things . 1. confirm the ip's in the csv's are in splunk and 2. display per ip what ports are listening.

So my query has been this

index=* |stats count by src_ip , dest_port [|inputlookup networkservers.csv | fields "IPv4 Address" | rename "IPv4 Address " as query

I have confirmed the lookup table is there and I can see it , and I can query the network, im just having issues with ingesting the 200+ ips as search items and then marrying the ports and prots with it . thanks in advance if this makes sense or am i looking at it all wrong ?

Re: How do I use the data from lookup table column as search on live index?

SanjayReddy — Fri, 11 Mar 2022 05:01:55 GMT

Hi @socks

Can you try with this

index=*
| lookup networkservers.csv "IPv4 Address" as src_ip OUTPUT src_ip
| stats count by src_ip,dest_port

Re: How do I use the data from lookup table column as search on live index?

Zhanali — Fri, 11 Mar 2022 06:38:29 GMT

Hello @socks

Also, try this

Re: How do I use the data from lookup table column as search on live index?

yuanliu — Fri, 11 Mar 2022 09:08:59 GMT

I think what you mean to do is

index=* [|inputlookup networkservers.csv | fields "IPv4 Address" | rename "IPv4 Address" as src_ip] | stats count by src_ip, dest_port

(Note your sample code missed a closing bracket; also the rename command contained an extra space in quotes.)

Re: How do I use the data from lookup table column as search on live index?

socks — Tue, 15 Mar 2022 14:07:06 GMT

nope this is not working , as the query seems to think the field src_ip is in the lookup table and it is not