Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help with search then loookup

luuken
New Member
‎11-23-2021 10:59 PM

Hi,

The following is my search:

index=pace ERROR OR FATAL OUI=* Number=*
| stats count by OUI Number
| sort -count

 

After executing the above search i get the following results:

 

OUI Number count

9C3DCF4W12757WA51F61880CC9C4W15177LA0AD1100836C94W150B70A38374100C6B4W15077PA0682380CC9C4W151778A0A39380CC9C4W15177GA0A5D3


Note: The number column are the results I am interested in.


I have a separate table named subsdeviceextract.csv as per the following:

MACModelOUIPost CodeSerial Number08:36:C9:9A:F4:6CV65100836C927754W150B70A012A08:36:C9:9B:5C:FEV65100836C964374W150B70A07A808:36:C9:9C:A8:20V65100836C926414W150B70A110A


I would like to look up the Serial number to get the Model Number

Please help me, thank you

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-24-2021 12:28 AM

Firstly - you did something strange with tables in your post. It's unreadable 🙂

Secondly - just use lookup.

 

index=pace ERROR OR FATAL OUI=* Number=*
| stats count by OUI Number
| sort -count
| lookup subsdeviceextract.csv "Serial Number" AS Number OUTPUT Model

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-23-2021 11:09 PM

Hi @luuken,

you have to put your table in a lookup called e.g. subsdeviceextract.csv (for more infos see at (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup) and then run a search like this:

index=pace ERROR OR FATAL OUI=* Number=*
| stats count by OUI Number
| lookup subsdeviceextract.csv OUI OUTPUT Model
| sort -count
| table OUI Number count Model

If you like, you can use also other fields from your lookup.

Ciao.

Giuseppe

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...