I have a lookup - ips.csv - formated like...
ip,name
1.2.3.4,server1
2.3.4.5,server2
My indexed data is source, destination. I want a table that is like...
source, source_name, destination, destination_name
Not all sources or destinations will have a name in the lookup, so I want to see all rows, even if there is no name...
source, source_name, destination, destination_name
1.2.3.3,server,8.8.8.8,-
2.3.4.5,server2,4.4.4.4,client3
index=foo | table source destination | rename source AS ip | join [|inputlookup ips.csv | fields ip name] | rename ip AS source name AS source_name | rename destination AS ip | join [|inputlookup ips.csv | fields ip name] rename ip AS destination name AS destination_name | table source source_name destination destination_name
Never seems to complete. I also get an error about renaming fields too many times.
I've experimented with join, append, appendcols... with no luck. How can I build this table?
Like this:
index=foo
| dedup source destination
| table source destination
| lookup jps.csv ip AS source OUTPUT name AS source_name
| lookup jps.csv ip AS destination OUTPUT name AS destination_name