Splunk Search

Compare inputlookup column with actual search

dblagojevic
Engager

Hi all,

I have .csv file with the multiple columns. But only one will be used to compare results, name of that column is exampleIP.
My goal is to compare ip address from that column with the column client.ipaddress from index=blah. If it matches, output new column: Match with the results of Yes or No.

exampleip
--------------
1.1.1.1
2.2.2.2
3.3.3.3

index=blah
| table client.ipaddress
2.2.2.2
3.3.3.3

desired output
|table exampleip, client.ipaddress, match
---------
1.1.1.1 | | No
2.2.2.2 | 2.2.2.2 |  yes
3.3.3.3 | 3.3.3.3 | yes

I have already tried to apply different answers from similar subjects but no luck.
Also, is there a way to add other columns from index=blah in the end table result?
Thanks all in advance

0 Karma
1 Solution

manjunathmeti
SplunkTrust
SplunkTrust

hi @dblagojevic,

Try this:

index=blah
| lookup csv_filename.csv exampleip as client.ipaddress OUTPUT exampleip 
| eval match=if('client.ipaddress'== exampleip, "yes", "no")

View solution in original post

manjunathmeti
SplunkTrust
SplunkTrust

hi @dblagojevic,

Try this:

index=blah
| lookup csv_filename.csv exampleip as client.ipaddress OUTPUT exampleip 
| eval match=if('client.ipaddress'== exampleip, "yes", "no")

dblagojevic
Engager

Hi @manjunathmeti ,

Thanks for your answer. It worked as a charm. I have just added:
| table client.ipaddress, exampleip, match, and of other interesting columns

If i may ask additional question: do you think that this could be done if a column exampleip contains cidr ranges?
For example: 10.0.1.0/24

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

It is possible using CSV lookup

  • Create & upload lookup test.csv

iprange
10.0.1.0/24
10.0.2.0/24

  • Create new lookup definition (Settings -> Lookup -> Lookup definition) Name: user_friendly_name Type: File-based Lookup file : test.csv Advanced Options: Match Type: CIDR(iprange)
  • Query

    index=blah | lookup user_friendly_name iprange as client.ipaddress OUTPUT iprange | eval match=if(isnotnull(iprange),"yes","no")

manjunathmeti
SplunkTrust
SplunkTrust

No that's not possible using csv lookup. If you few values for exampleip then you can use cidrmatch function like below:

index=blah | eval client_ipaddress = 'client.ipaddress', match=if(cidrmatch("10.0.1.0/24", client_ipaddress), "yes", "no")
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...