Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Compare values from log and lookup
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a lookup table that contains the data similar to the:
Service_name, IP, Port
HTTPS, 10.10.10.10, 443
DNS, 10.10.10.11, 80
What I am trying to achieve is to make a search that'll compare existing IPs and ports from the logs that are in fields destip, destport and return values that match both, i.e. if "destip = IP & destport = Port then return service_name but I don't know how to achieve this in SPL.
I can match destip with the IP from the lookup and return a new field for service_name based on that but that doesn't help me achieve what I need
| lookup service_lookup IP AS destip OUTPUTNEW service_name
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval ip="10.10.10.9,10.10.10.10,10.10.10.11,10.10.10.12,10.10.10.13"
| eval port="8,8,8,8,8"
| makemv delim="," ip
| makemv delim="," port
| eval tmp=mvzip(ip,port)
| mvexpand tmp
| rex field=tmp "(?<IP>[^,]+),(?<Port>[^,]+)"
| fields IP,Port
| join IP Port
[| stats count
| eval _raw="service_name, IP, Port
HTTPS,10.10.10.10,443
DNS,10.10.10.11,8"
| multikv forceheader=1
| fields - _*
| fields service_name IP Port]
Hi, this is sample query.
your search query
| join destip destport [| inputlookup service_lookup
| rename IP as destip
| rename Port as destport]
How about this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval ip="10.10.10.9,10.10.10.10,10.10.10.11,10.10.10.12,10.10.10.13"
| eval port="8,8,8,8,8"
| makemv delim="," ip
| makemv delim="," port
| eval tmp=mvzip(ip,port)
| mvexpand tmp
| rex field=tmp "(?<IP>[^,]+),(?<Port>[^,]+)"
| fields IP,Port
| join IP Port
[| stats count
| eval _raw="service_name, IP, Port
HTTPS,10.10.10.10,443
DNS,10.10.10.11,8"
| multikv forceheader=1
| fields - _*
| fields service_name IP Port]
Hi, this is sample query.
your search query
| join destip destport [| inputlookup service_lookup
| rename IP as destip
| rename Port as destport]
How about this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to get what I wanted off of what you had here, eventually even decreased the search query to | lookup service_lookup IP as destip Port as destport OUTPUTNEW service_name
Which matched the port & ip from the logs to the table and then created a new field named "service_name" based on the results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So that's it.
It will be helpful. Thanks.
Dashboards: Hiding charts while search is being executed and other uses for tokens
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
