Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Search for ip in lookup based on system alias in csv

Trusty
Engager
‎04-24-2024 06:26 AM

Helo

I have a search query like this: index=test dscip=192.168.1.1 OR dscip=192.168.1.2 ...

I would like to search this list of ip based on system-alias in my lookup

This is my sample lookup.csv:

system-aliassystem-ip
prod192.168.1.1
dev192.168.2.2
prod

192.168.1.2

 

so what a search query should look like if i want to serach only for prod ip`s ?

 

P

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎04-24-2024 06:39 AM

@Trusty 
You can use the lookup to enrich the dataset and then filter based on the value

|makeresults |eval dscip="192.168.1.1 192.168.2.2 192.168.1.2"|makemv dscip| mvexpand dscip
|rename comment as "Above is just data generation"
|lookup lookup.csv system-ip as dscip OUTPUT system-alias as env
|where env = "prod"
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎04-24-2024 06:39 AM

@Trusty 
You can use the lookup to enrich the dataset and then filter based on the value

|makeresults |eval dscip="192.168.1.1 192.168.2.2 192.168.1.2"|makemv dscip| mvexpand dscip
|rename comment as "Above is just data generation"
|lookup lookup.csv system-ip as dscip OUTPUT system-alias as env
|where env = "prod"
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

Trusty
Engager
‎04-25-2024 12:28 AM

It works, I have an IP list based on the specified system name (prod etc). Now how can I associate this list with a search?
So that the list of IPs displayed by this query can be attached to dscip
| search sourcetype="new" DstIP=(list of above ip)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...