How to use a Lookup table to search against two so...

cryptosmasher86 · ‎06-22-2017

I have two sources from Log files: “source1web”, “source2auth”, they both list IP addresses, but are named differently, source1web the field is “Server”, “and source2auth is “IP1”.

I need to check both logs against a lookup table “lookup1” the field in the lookup table is “Server”

Searching against 1 source works
index=index1 sourcetype=source1web [| inputlookup lookup1.csv | fields Server] |

index=index1 sourcetype=source2auth [| inputlookup lookup1.csv | fields Server | rename Server as IP1] |

when I have tried to combine the 2 it doesn't produce any results

cmerriman · ‎06-22-2017

you're trying to combine the two searches into one and have one inputlookup?

have you tried renaming IP1 in source2auth as Server before the lookup instead of doing it in the lookup?

(index=index1 sourcetype=source1web) OR (index=index1 sourcetype=source2auth)|eval Server=coalesce(Server,IP1)|join Server [| inputlookup lookup1.csv | fields Server]

cryptosmasher86 · ‎06-22-2017

Worked perfectly thank you

woodcock · ‎06-24-2017

Make sure that you click Accept to close the question and reward the answerer with Karma points.

How to use a Lookup table to search against two sourcetypes with a common field that's named differently

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...