Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can't get every values for a field in lookup

batuhankutluca
Explorer
‎03-20-2019 03:20 AM

Hello,
I have a lookup filled with IP's and time that the event happens on that time. I have a search that gets IP's from a lookup and tries to learn which hosts got that IP's form dhcp. But my search doesn't work for every IP's in lookup for some reason I don't know. For example:
alt text

alt text

As you can see I have 10.60.xx and 10.3.4.x.x IP's in my lookup. But the result returns me the hostnames only for the 10.60.x.x IP. But when I try to search hostname for 10.34.x.x by manually, I can get it from logs. I want to know why is my search with lookup not working properly? By the way my search is :
index=xxx sourcetype=yyy "Lease granted to"
| lookup vpn.csv srcip AS dest_ip
| search Time=*
| eval event_time=strptime(Time,"%Y-%m-%d %H:%M:%S")
| where _time < event_time
| stats latest(dest_nt_host) as dest_nt_host by dest_ip

I don't think that my search is wrong because the returned hostnames are true.

Tags (1)
Preview file
68 KB
Preview file
9 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...