Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

reciprocal entries in next row

dxw350
Path Finder
‎06-23-2017 11:20 AM

I am using lookup commands for data in a csv file and trying to map src_ip to the HOST and the SERVER in different rows. As an example
MY ISSUE: There are always entries for both Host and Server, but if the Server entry is not listed as a separate row in the HOST column I need to add it as a reciprocal row. Is there a way to do that with |lookup HOST as src_ip OUTPUT src_ip dest_zone SERVER |lookup SERVER as src_ip OUTPUT src_ip dest_zone SERVER
Example:
HOST SERVER
192.168..1.1 192.168.2.10
192.168.2.10 192.168.1.1 This pair is good

192.168.1.3 192.168.2.11
Missing reciprocal This row needs the reverse

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-23-2017 12:33 PM

I wouldn't spend a minute thinking about this...

| inputlookup SERVER 
| appendpipe [ | eval hold=HOST | eval HOST=SERVER | eval SERVER=hold | fields - hold] 
| dedup HOST SERVER
| outputlookup append=f SERVER

View solution in original post

Reply
Solved! Jump to solution

dxw350
Path Finder
‎06-26-2017 07:41 AM

hi,

I tried your appendpipe solution and it didn't work. I only have one inputlookup csv called "data_file.csv". How can the following be corrected to work?

index=firewall_juniper sourcetype="juniper:junos:firewall" |dedup src_ip dest_ip | lookup data_file HOST_IP as src_ip output APPLICATION_SERVICE SERVER_IP |search APPLICATION_SERVICE=$param_app$ | inputlookup data_file| appendpipe [ | eval hold=HOST_IP | eval HOST_IP=SERVER_IP | eval SERVER_IP=hold | fields-hold] | dedup HOST_IP SERVER_IP | outputlookup append=f PARITY_SERVER_IP |search APPLICATION_SERVICE=$param_app$ |table src_ip src dest_ip HOSTNAME SERVER_IP

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-23-2017 12:33 PM

I wouldn't spend a minute thinking about this...

| inputlookup SERVER 
| appendpipe [ | eval hold=HOST | eval HOST=SERVER | eval SERVER=hold | fields - hold] 
| dedup HOST SERVER
| outputlookup append=f SERVER
Reply
Solved! Jump to solution

dxw350
Path Finder
‎06-23-2017 12:03 PM

Thanks for the reply. It will be separate rows as entries

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-23-2017 12:00 PM

Is your query like this? (there might be a type in first lookup)

your base search giving field src_ip |lookup HOST as src_ip OUTPUT src_ip dest_zone HOST |lookup SERVER as src_ip OUTPUT src_ip dest_zone SERVER

The example output, is it single rows or two rows?

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...