Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Compare values from log and lookup
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a lookup table that contains the data similar to the:
Service_name, IP, Port
HTTPS, 10.10.10.10, 443
DNS, 10.10.10.11, 80
What I am trying to achieve is to make a search that'll compare existing IPs and ports from the logs that are in fields destip, destport and return values that match both, i.e. if "destip = IP & destport = Port then return service_name but I don't know how to achieve this in SPL.
I can match destip with the IP from the lookup and return a new field for service_name based on that but that doesn't help me achieve what I need
| lookup service_lookup IP AS destip OUTPUTNEW service_name
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval ip="10.10.10.9,10.10.10.10,10.10.10.11,10.10.10.12,10.10.10.13"
| eval port="8,8,8,8,8"
| makemv delim="," ip
| makemv delim="," port
| eval tmp=mvzip(ip,port)
| mvexpand tmp
| rex field=tmp "(?<IP>[^,]+),(?<Port>[^,]+)"
| fields IP,Port
| join IP Port
[| stats count
| eval _raw="service_name, IP, Port
HTTPS,10.10.10.10,443
DNS,10.10.10.11,8"
| multikv forceheader=1
| fields - _*
| fields service_name IP Port]
Hi, this is sample query.
your search query
| join destip destport [| inputlookup service_lookup
| rename IP as destip
| rename Port as destport]
How about this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval ip="10.10.10.9,10.10.10.10,10.10.10.11,10.10.10.12,10.10.10.13"
| eval port="8,8,8,8,8"
| makemv delim="," ip
| makemv delim="," port
| eval tmp=mvzip(ip,port)
| mvexpand tmp
| rex field=tmp "(?<IP>[^,]+),(?<Port>[^,]+)"
| fields IP,Port
| join IP Port
[| stats count
| eval _raw="service_name, IP, Port
HTTPS,10.10.10.10,443
DNS,10.10.10.11,8"
| multikv forceheader=1
| fields - _*
| fields service_name IP Port]
Hi, this is sample query.
your search query
| join destip destport [| inputlookup service_lookup
| rename IP as destip
| rename Port as destport]
How about this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to get what I wanted off of what you had here, eventually even decreased the search query to | lookup service_lookup IP as destip Port as destport OUTPUTNEW service_name
Which matched the port & ip from the logs to the table and then created a new field named "service_name" based on the results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So that's it.
It will be helpful. Thanks.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
