Re: Do two joins matching inputlookup data to buil...

yacht_rock · ‎06-15-2017

I have a lookup - ips.csv - formated like...

ip,name
1.2.3.4,server1
2.3.4.5,server2

My indexed data is source, destination. I want a table that is like...

source, source_name, destination, destination_name

Not all sources or destinations will have a name in the lookup, so I want to see all rows, even if there is no name...

source, source_name, destination, destination_name
1.2.3.3,server,8.8.8.8,-
2.3.4.5,server2,4.4.4.4,client3

index=foo | table source destination | rename source AS ip | join [|inputlookup ips.csv | fields ip name] | rename ip AS source name AS source_name | rename destination AS ip | join [|inputlookup ips.csv | fields ip name]  rename ip AS destination name AS destination_name | table source source_name destination destination_name

Never seems to complete. I also get an error about renaming fields too many times.

I've experimented with join, append, appendcols... with no luck. How can I build this table?

woodcock · ‎06-15-2017

Like this:

index=foo 
| dedup source destination
| table source destination
| lookup jps.csv ip AS source OUTPUT name AS source_name 
| lookup jps.csv ip AS destination OUTPUT name AS destination_name

Do two joins matching inputlookup data to build table

Thanks for the Memories! Splunk University, .conf25, and our Community

Data Persistence in the OpenTelemetry Collector

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Are you a member of the Splunk Community?

Do two joins matching inputlookup data to build table

Thanks for the Memories! Splunk University, .conf25, and our Community

Data Persistence in the OpenTelemetry Collector

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever