Splunk Search

Fill field based on if it matches a lookup

rogueakula1
Loves-to-Learn Lots

Good morning, all! I am trying to fill in a table based on if an IP address is in a lookup. I have a lookup table called "IPAddresses.csv" with the addresses in a column called "value", and a field in the event called addr. I want to fill a cell in a table with "In IP List" or "Not in IP List" something like this:

IPAddresses.csv

valueHostname
192.168.1.1Host A
192.168.1.3Host B
192.168.1.5Host C
192.168.1.7Host D

 

Splunk Table

In IP Addressesaddr
In List192.168.1.1
Not In List192.168.1.2
In List192.168.1.3
Not In List192.168.1.4

 

I have a very immature Splunk knowledge base, so I am not even sure where to start. I would assume that it would require an eval if match statement in conjunction with a lookup, but I am not sure how to join the two. Any help would be greatly appreciated! Thank you!

Labels (1)
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@rogueakula1 

You can try lookup command

YOUR_SEARCH | lookup IPAddresses.csv value as addr output Hostname
| eval "In IP Addresses"=if(isnotnull(Hostname),"In List","Not In List")
| fields - Hostname

 

My Sample Search :

| makeresults | eval _raw="addr
192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4" | multikv forceheader=1
| table addr | lookup IPAddresses.csv value as addr output Hostname
| eval "In IP Addresses"=if(isnotnull(Hostname),"In List","Not In List")
| fields - Hostname


 Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...