Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Best way to search using a lookup table?

Jason
Motivator
‎10-05-2010 04:48 PM

I'm running a search across a bunch of data, say web logs, that has a lot of different src_ips.

I make a lookup of a handful of src_ips that I want to take a look at:

lookup table [iptable]

src_ip
1.2.3.4
1.2.3.5
1.2.4.6

What is the best way to search across all of my data (sourcetype=web, for instance) and ONLY show items matching my lookup file?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎10-05-2010 05:01 PM

Assuming there is a field in your data called src_ip, and that you have (say) millions of events and less than a few hundred entries in your lookup table, the most efficient way is probably:

sourcetype=web [ inputlookup iptable | fields src_ip ]

If the field in the sourcetype is called, say, source_address, you could do:

sourcetype=web [ inputlookup iptable | fields src_ip | rename src_ip as souce_address ]

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎10-05-2010 05:01 PM

Assuming there is a field in your data called src_ip, and that you have (say) millions of events and less than a few hundred entries in your lookup table, the most efficient way is probably:

sourcetype=web [ inputlookup iptable | fields src_ip ]

If the field in the sourcetype is called, say, source_address, you could do:

sourcetype=web [ inputlookup iptable | fields src_ip | rename src_ip as souce_address ]
Reply
Solved! Jump to solution

Jason
Motivator
‎10-05-2010 04:50 PM

sourcetype=web | join src_ip [inputlookup iptable] ?

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...