Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Search for ip in lookup based on system alias in c...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Trusty
Engager
04-24-2024
06:26 AM
Helo
I have a search query like this: index=test dscip=192.168.1.1 OR dscip=192.168.1.2 ...
I would like to search this list of ip based on system-alias in my lookup
This is my sample lookup.csv:
| system-alias | system-ip |
| prod | 192.168.1.1 |
| dev | 192.168.2.2 |
| prod | 192.168.1.2 |
so what a search query should look like if i want to serach only for prod ip`s ?
P
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
04-24-2024
06:39 AM
@Trusty
You can use the lookup to enrich the dataset and then filter based on the value
|makeresults |eval dscip="192.168.1.1 192.168.2.2 192.168.1.2"|makemv dscip| mvexpand dscip
|rename comment as "Above is just data generation"
|lookup lookup.csv system-ip as dscip OUTPUT system-alias as env
|where env = "prod"
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
04-24-2024
06:39 AM
@Trusty
You can use the lookup to enrich the dataset and then filter based on the value
|makeresults |eval dscip="192.168.1.1 192.168.2.2 192.168.1.2"|makemv dscip| mvexpand dscip
|rename comment as "Above is just data generation"
|lookup lookup.csv system-ip as dscip OUTPUT system-alias as env
|where env = "prod"
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Trusty
Engager
04-25-2024
12:28 AM
It works, I have an IP list based on the specified system name (prod etc). Now how can I associate this list with a search?
So that the list of IPs displayed by this query can be attached to dscip
| search sourcetype="new" DstIP=(list of above ip)
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
What Is Splunk? Here’s What You Can Do with Splunk
Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...
Level Up Your .conf25: Splunk Arcade Comes to Boston
With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...
Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...
Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...
