Splunk Search

How do I use the data from lookup table column as search on live index?

socks
Loves-to-Learn Lots

I just built my first lookup table, because I have a csv of about 200 servers with the in different ip spaces and I need to perform 2 things . 1. confirm the ip's in the csv's are in splunk and 2. display per ip what ports are listening.

So my query has been this 

index=* |stats count by src_ip , dest_port [|inputlookup networkservers.csv | fields "IPv4 Address" | rename "IPv4 Address " as query



I have confirmed the lookup table is there and I can see it , and I can query the network, im just having issues with ingesting the 200+ ips as search items and then marrying the ports and prots with it . thanks in advance if this makes sense or am i looking at it all wrong ?

Labels (4)
Tags (1)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

I think what you mean to do is

index=* [|inputlookup networkservers.csv | fields "IPv4 Address" | rename "IPv4 Address" as src_ip]
| stats count by src_ip, dest_port

 (Note your sample code missed a closing bracket; also the rename command contained  an extra space in quotes.)

0 Karma

Zhanali
Path Finder

Hello @socks 

Also, try this

| inputlookup networkservers.csv
| rename "IPv4 Address" as src_ip
| join type=outer src_ip
    [| search index=* src_ip=* dest_port=*
    | stats count by src_ip dest_port]

 

0 Karma

SanjayReddy
SplunkTrust
SplunkTrust

Hi @socks 

Can you try with this 

index=*
| lookup networkservers.csv "IPv4 Address" as src_ip OUTPUT src_ip
| stats count by src_ip,dest_port

 

0 Karma

socks
Loves-to-Learn Lots

nope this is not working , as the query seems to think the field src_ip is in the lookup table and it is not

 

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...