Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I reference lookup table with a field that have dynamic value?

LeeZeeYuen
New Member
‎01-18-2018 11:07 PM

I have a field value for IP address in the lookup dataset but the IP address from real logs are dynamic and constantly changing.

Tags (2)
0 Karma
Reply

FrankVl
Ultra Champion
‎01-22-2018 01:16 AM

Not sure how that comment relates to the original question (which was about dynamic IP addresses), but I see a few options to deal with getting multiple matches from your lookup:

  1. Configure the lookup with a max. matches setting of 1 (but you may want to check whether that gives the desired match)
  2. Use some additional commands to reduce the multi valued severity_level field to a single value field.
  3. add more key fields to the lookup, to get a unique match
0 Karma
Reply

LeeZeeYuen
New Member
‎01-22-2018 01:27 AM

Haha sorry for the confusing questions. Thanks for the answer anyway I will try it out now!

0 Karma
Reply

LeeZeeYuen
New Member
‎01-21-2018 04:08 PM

This is the sample dataset I have for my lookup`
alt text

I am trying to use the lookup dataset to output the siem_severity field. The commands are as shown below
alt text

However, as you can see there are events with two output-ed "severity_level". I want an events to only display one level of severity

Preview file
34 KB
Preview file
60 KB
0 Karma
Reply

horsefez
Motivator
‎01-19-2018 05:09 AM

Hi LeeZeeYuen,
just give us a bit more description so we are able to help you.

Maybe some screenshots or example events.

Thanks!

0 Karma
Reply

LeeZeeYuen
New Member
‎01-21-2018 04:16 PM

This is the dataset that I am currently using
link text

I need to use the dataset for lookup to output the field "siem_severity". The command used are shown below
link text

However, using this command will cause certain events to have two "severity_level" value
link text

I need to find a solution to only display one "severity_level" value.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...