Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can't get every values for a field in lookup

batuhankutluca
Explorer
‎03-20-2019 03:20 AM

Hello,
I have a lookup filled with IP's and time that the event happens on that time. I have a search that gets IP's from a lookup and tries to learn which hosts got that IP's form dhcp. But my search doesn't work for every IP's in lookup for some reason I don't know. For example:
alt text

alt text

As you can see I have 10.60.xx and 10.3.4.x.x IP's in my lookup. But the result returns me the hostnames only for the 10.60.x.x IP. But when I try to search hostname for 10.34.x.x by manually, I can get it from logs. I want to know why is my search with lookup not working properly? By the way my search is :
index=xxx sourcetype=yyy "Lease granted to"
| lookup vpn.csv srcip AS dest_ip
| search Time=*
| eval event_time=strptime(Time,"%Y-%m-%d %H:%M:%S")
| where _time < event_time
| stats latest(dest_nt_host) as dest_nt_host by dest_ip

I don't think that my search is wrong because the returned hostnames are true.

Tags (1)
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...