- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to get a lookup table field and IP match with ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get a lookup table field and IP match with indexing data and sourcetype?
Splunkers,
Here is my Question.
I have a lookup table with Windows_list.csv and contains IP, Host Name, Application fields.
Now I want to take IP as input from lookup table and search against the current windows index and see how many hosts are reporting to given sourcetype to that index.
QS is I need to verify 3000 hosts from my list against current splunk data (sending data to splunk or not with some sourcetype=win etc.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Splunk_rocks is the IP address in your sourcetype=win already extracted with some field name? If yes what is it? If not create a field extraction possibly as IP itself so that you dont want to create a field alias to normalize the field across sourcetype and lookup.
If you currently do not have IP address field extracted in your sourcetype=win, you can try the following
index=<your_index_name> sourcetype=win [| inputlookup Windows_list.csv | rename IP as search | table search ]
If you lookup file has IPs like 10.10.201.200 , 10.10.201.201, 10.10.201.202 etc the above is similar to writing the following command.
index=<your_index_name> sourcetype=win 10.10.201.200 10.10.201.201 10.10.201.202
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey
What about:
index=windows
[ | inputlookup Windows_list.csv
| return IP]
| stats count(hosts) by sourcetype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks , its not working i need to take IP from my list and search against with splunk index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This | inputlookup Windows_list.csv | return IP returns an ORed list of the IPs and is passing them to your index.
What is exactly is not working? Does this index=windows [ | inputlookup Windows_list.csv | return IP] is not getting the events you want for the later stats?
Can you specify what is not working?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks
it just taking only first IP from lookup file
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Right so have the return to include an arbitrary number of IPs, like shown below
index=windows
[ | inputlookup Windows_list.csv
| return 100000 IP]
| stats count(hosts) by sourcetype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Splunk_rocks describe ip fieldname in your events and lookup. That would probably help Tiago.
Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!
Preparing your Splunk Environment for OpenSSL3
Incident Response: Reduce Incident Recurrence with Automated Ticket Creation
