I have field src_ip in my data.
My lookup fields: ip1, ip2, ip3, ip4, user
What I want is to find matching pairs in src_ip and ip1, ip2, ip3, ip4 and OUTPUT the name of user, who this src_ip belongs to.
How can I do this?
You'll need to use multiple lookups to do that.
... | lookup ip1 as src_ip output user
| lookup ip2 as src_ip outputnew user
| lookup ip3 as src_ip outputnew user
| lookup ip4 as src_ip outputnew user
...
You'll need to use multiple lookups to do that.
... | lookup ip1 as src_ip output user
| lookup ip2 as src_ip outputnew user
| lookup ip3 as src_ip outputnew user
| lookup ip4 as src_ip outputnew user
...
I know this works, but can`t I do this within one command?
It is stated in documentation that multiple fields can be included in the list.
Yes, the lookup command supports multiple fields, but all of the fields are ANDd during the lookup. The only way to do an OR is via multiple lookups.