Good morning, all! I am trying to fill in a table based on if an IP address is in a lookup. I have a lookup table called "IPAddresses.csv" with the addresses in a column called "value", and a field in the event called addr. I want to fill a cell in a table with "In IP List" or "Not in IP List" something like this:
IPAddresses.csv
| value | Hostname |
| 192.168.1.1 | Host A |
| 192.168.1.3 | Host B |
| 192.168.1.5 | Host C |
| 192.168.1.7 | Host D |
Splunk Table
| In IP Addresses | addr |
| In List | 192.168.1.1 |
| Not In List | 192.168.1.2 |
| In List | 192.168.1.3 |
| Not In List | 192.168.1.4 |
I have a very immature Splunk knowledge base, so I am not even sure where to start. I would assume that it would require an eval if match statement in conjunction with a lookup, but I am not sure how to join the two. Any help would be greatly appreciated! Thank you!
You can try lookup command
YOUR_SEARCH | lookup IPAddresses.csv value as addr output Hostname
| eval "In IP Addresses"=if(isnotnull(Hostname),"In List","Not In List")
| fields - Hostname
My Sample Search :
| makeresults | eval _raw="addr
192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4" | multikv forceheader=1
| table addr | lookup IPAddresses.csv value as addr output Hostname
| eval "In IP Addresses"=if(isnotnull(Hostname),"In List","Not In List")
| fields - Hostname
Thanks
KV
▄︻̷̿┻̿═━一
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.