Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to find matching values in lookup?

POR160893
Builder
‎10-26-2022 06:21 AM

Hi,

I have the following query:

 

index = ABC
| eval domain=mvindex(split(EMAIL_TXT, "@"), 1)
| stats dc(EMAIL_TXT) AS Count_EmailAddress, values(domain) as domain values(EMAIL_TXT) as Email_Address, values(STRT_DTS) AS Start_Date by IP_ADDR
| where Count_EmailAddress >1
| sort -Count_EmailAddress

 



I also have a lookup with a list of IPs:
|inputlookup HighRiskDomain 

How do I create a new field called "HighRiskIP" that would have with "Yes" or "No" values, depending on whether the IP for that given row matches an IP on the lookup?????

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-26-2022 06:57 AM

Someone really needs to do a .conf talk on the differences between inputlookup and lookup because they seem to be confused often.

To find out if a given value is in a lookup table, use the lookup command.  Assuming the lookup table contains a single field called "IP_ADDR", this should do it.

index = ABC
| eval domain=mvindex(split(EMAIL_TXT, "@"), 1)
| stats dc(EMAIL_TXT) AS Count_EmailAddress, values(domain) as domain values(EMAIL_TXT) as Email_Address, values(STRT_DTS) AS Start_Date by IP_ADDR
| where Count_EmailAddress >1
| sort -Count_EmailAddress
```Look up the IP address.  
The ip_addr_exists field will be null if the address is not in the table.```
| lookup HighRiskDomain IP_ADDR OUTPUT ip_addr_exists
| eval HighRiskIP = if(isnotnull(ip_addr_exists), "Yes", "No")

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-26-2022 06:57 AM

Someone really needs to do a .conf talk on the differences between inputlookup and lookup because they seem to be confused often.

To find out if a given value is in a lookup table, use the lookup command.  Assuming the lookup table contains a single field called "IP_ADDR", this should do it.

index = ABC
| eval domain=mvindex(split(EMAIL_TXT, "@"), 1)
| stats dc(EMAIL_TXT) AS Count_EmailAddress, values(domain) as domain values(EMAIL_TXT) as Email_Address, values(STRT_DTS) AS Start_Date by IP_ADDR
| where Count_EmailAddress >1
| sort -Count_EmailAddress
```Look up the IP address.  
The ip_addr_exists field will be null if the address is not in the table.```
| lookup HighRiskDomain IP_ADDR OUTPUT ip_addr_exists
| eval HighRiskIP = if(isnotnull(ip_addr_exists), "Yes", "No")

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎10-26-2022 06:51 AM

First of all: you may want to remove the URL under the lookup name 🙂

There's multiple ways to do this, but in the end it comes down to doing a | lookup command and then some eval to translate the output of the lookup command to yes and no. One way would be to add a column in your lookup called "HighRiskIP" with value "yes" on each row. Then you can do:

 

...your current query...
| lookup HighRiskDomain IP as IP_ADDR OUTPUT HighRiskIP
| eval HighRiskIP = coalesce(HighRiskIP,"no")

 

Note: you may need to replace "IP" in the lookup command with whatever the ip address field in your lookup is called.

If you don't want to add additional columns to the lookup table, you can also do something like this:

 

...your current query...
| lookup HighRiskDomain IP as IP_ADDR OUTPUT IP as HighRiskIP
| eval HighRiskIP = if(isnull(HighRiskIP),"no","yes")

 

Note: use above as inspiration, don't just copy paste it and trust my code is bug free, I haven't tested these.

0 Karma
Reply
Solved! Jump to solution

POR160893
Builder
‎10-26-2022 06:58 AM

Do not see the URL you are referring to btw .....

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎10-26-2022 07:04 AM

Looks like that has already been fixed (probably a copy paste mistake) 🙂

0 Karma
Reply
Solved! Jump to solution

POR160893
Builder
‎10-26-2022 07:08 AM

I made no change myself .... hopefully it wasn't too fatal 🙂

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎10-26-2022 07:22 AM

It was a link to your splunk environment I think. Perhaps @richgalloway was so kind to strip it for you.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-26-2022 08:05 AM

Yes, I removed the URL.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

POR160893
Builder
‎10-27-2022 02:39 AM

Thanks Richard!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...