Splunk Search

How do I reference lookup table with a field that have dynamic value?

LeeZeeYuen
New Member

I have a field value for IP address in the lookup dataset but the IP address from real logs are dynamic and constantly changing.

Tags (2)
0 Karma

FrankVl
Ultra Champion

Not sure how that comment relates to the original question (which was about dynamic IP addresses), but I see a few options to deal with getting multiple matches from your lookup:

  1. Configure the lookup with a max. matches setting of 1 (but you may want to check whether that gives the desired match)
  2. Use some additional commands to reduce the multi valued severity_level field to a single value field.
  3. add more key fields to the lookup, to get a unique match
0 Karma

LeeZeeYuen
New Member

Haha sorry for the confusing questions. Thanks for the answer anyway I will try it out now!

0 Karma

LeeZeeYuen
New Member

This is the sample dataset I have for my lookup`
alt text

I am trying to use the lookup dataset to output the siem_severity field. The commands are as shown below
alt text

However, as you can see there are events with two output-ed "severity_level". I want an events to only display one level of severity

0 Karma

horsefez
SplunkTrust
SplunkTrust

Hi LeeZeeYuen,
just give us a bit more description so we are able to help you.

Maybe some screenshots or example events.

Thanks!

0 Karma

LeeZeeYuen
New Member

This is the dataset that I am currently using
link text

I need to use the dataset for lookup to output the field "siem_severity". The command used are shown below
link text

However, using this command will cause certain events to have two "severity_level" value
link text

I need to find a solution to only display one "severity_level" value.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...