Re: Do two joins matching inputlookup data to buil...

yacht_rock · ‎06-15-2017

I have a lookup - ips.csv - formated like...

ip,name
1.2.3.4,server1
2.3.4.5,server2

My indexed data is source, destination. I want a table that is like...

source, source_name, destination, destination_name

Not all sources or destinations will have a name in the lookup, so I want to see all rows, even if there is no name...

source, source_name, destination, destination_name
1.2.3.3,server,8.8.8.8,-
2.3.4.5,server2,4.4.4.4,client3

index=foo | table source destination | rename source AS ip | join [|inputlookup ips.csv | fields ip name] | rename ip AS source name AS source_name | rename destination AS ip | join [|inputlookup ips.csv | fields ip name]  rename ip AS destination name AS destination_name | table source source_name destination destination_name

Never seems to complete. I also get an error about renaming fields too many times.

I've experimented with join, append, appendcols... with no luck. How can I build this table?

woodcock · ‎06-15-2017

Like this:

index=foo 
| dedup source destination
| table source destination
| lookup jps.csv ip AS source OUTPUT name AS source_name 
| lookup jps.csv ip AS destination OUTPUT name AS destination_name

Do two joins matching inputlookup data to build table

Fastest way to demo Observability

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

Are you a member of the Splunk Community?

Do two joins matching inputlookup data to build table

Fastest way to demo Observability

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps