topic Re: Lookup when format is not equal. in Splunk Search

Lookup when format is not equal.

lakromani — Sun, 13 Mar 2016 20:13:09 GMT

I already have a CSV file for an other app that uses mac to IP/Name.

Format is like this:

mac,ip,host_name
6067.209c.ce2c,10.10.10.186,pc-test
c01a.da25.da0e,10.10.10.163,server
100b.a91e.5cdc,10.10.10.160,phone

Now I have an other input that looks like this:

nic1 BC:F2:AF:C6:F0:25 TX 209 mbps
nic1 BC:F2:AF:C6:F0:18 TX 129 mbps

Is there a way to do a lookup for the mac in the mac to IP/Host file when format is different?

Re: Lookup when format is not equal.

martin_mueller — Sun, 13 Mar 2016 21:47:41 GMT

You could schedule a search that adds the other format to the lookup file periodically, and use that in your automatic lookup. Something like this:

| inputlookup file
| eval mac2 = coalesce(mac2, replace(replace(upper(mac), "\.", ""), "([^:][^:])(?!$)", "\1:"))
| outputlookup file

You'd have the original value in mac and the other notation in mac2.

Re: Lookup when format is not equal.

jkat54 — Sun, 13 Mar 2016 21:58:13 GMT

You can use evals to change the format prior to the lookup. I often take everything to lowercase/uppercase prior to joins and lookups. Your requirements would be a bit trickier but Martin has done the tricky eval part it appears.