Help with lookup

hank72 · ‎12-14-2019

Hi. Please I need some help.

Different devices, all with different port numbers. How to create a single search that will use lookup table to check multiple devices and different portid with notes?

device,portid,notes
device1,2,cube1
device1,4,cube7
device1,6,cube8
device2,5,cube3
device2,6,cube2
device3,1,cube6
device3,5,cube9
device3,7,cube4

This is a search for one device (device1) and it's ports. But now I have many more devices all with different ports.
index=myindex device=device1 type=port speed=1Gfdx state=down | where in(portid,2,4,6) | table device, portid, state

Thank you.
Hank

richgalloway · ‎12-15-2019

A subsearch should do it. The format command converts the fields into ((device=1 port=2) OR (device=1 port=4)...).

index=myindex speed=1Gfdx state=down
   [ | inputlookup mylookup | fields device,portid | format ]
| table device, portid, state

---
If this reply helps you, Karma would be appreciated.

Help with lookup

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation

Help with lookup

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions