Re: Substitution/Mapping table of user to IP addre...

tjharris · ‎04-12-2018

I have a few web application reports and they are great, except the log data only has the user's IP address, which I want to map to user names. I have good mapping data from my DHCP. But, I've been unable to find how I can use a data table to map the user name in for the IP address in my output table.

I'm using splunkcloud. Any pointers on how this can be done?

Tim_1 · ‎04-16-2018

You could use your DHCP as a static lookup, then join within the query using 'lookup' or 'inputlookup' command.
http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/lookup

p_gurav · ‎04-12-2018

Can you provide some sample events from DHCP and user data?

tjharris · ‎04-15-2018

The DHCP data is not emitted into Splunk. It's just a static map of IP->User. I have it as an external CSV file, which I can import into Splunk if needed. My goal is then to use that mapping table of IP:User to swap out IP address for user names in my report table.

p_gurav · ‎04-15-2018

You can try uploading csv file as lookup and then map it with your report. This may help:
http://docs.splunk.com/Documentation/SplunkCloud/7.0.0/SearchTutorial/Usefieldlookups

Substitution/Mapping table of user to IP address for report?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms