Splunk Search

Can i do an eval if match with a lookup table?


I have a field called lookup_key that contains either a host name or an IP address.  I am trying to get a lookup on the IPs against a host table, and output them to a new field called host1.  If the lookup_key field is already a host name just copy it to the new field. The address.csv has IPs in data1 and hosts in data2.  Here is where i am currently, any help is appreciated.


| eval lookup_key = if(match(lookup_key, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"), "|lookup address1.csv data1 as lookup_key OUTPUT data2 as host1 ", "lookup_key=host1")


Labels (2)
Tags (4)
0 Karma


Unfortunately Splunk doesn't support that type of construct, but you can do it with

|lookup address1.csv data1 as lookup_key OUTPUT data2 as found_host1
| eval host1=case(!isnull(found_host), found_host, match(lookup_key, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"), lookup_key, 1==1, host1)

You have to do through the lookup process. If it's an IP, then found_host will be the mapped host (or null if the IP is not found)

Then the second  line is calculating

  1. host1 is the mapped value from found_host if the IP was found in the lookup
  2. host1 if the IP address if the IP was NOT found in the lookup
  3. host1 is the original host1

You may want to tweak that depending on your desired outcome

Hope this helps


0 Karma