I just built my first lookup table, because I have a csv of about 200 servers with the in different ip spaces and I need to perform 2 things . 1. confirm the ip's in the csv's are in splunk and 2. display per ip what ports are listening.
So my query has been this
index=* |stats count by src_ip , dest_port [|inputlookup networkservers.csv | fields "IPv4 Address" | rename "IPv4 Address " as query
I have confirmed the lookup table is there and I can see it , and I can query the network, im just having issues with ingesting the 200+ ips as search items and then marrying the ports and prots with it . thanks in advance if this makes sense or am i looking at it all wrong ?
I think what you mean to do is
index=* [|inputlookup networkservers.csv | fields "IPv4 Address" | rename "IPv4 Address" as src_ip]
| stats count by src_ip, dest_port
(Note your sample code missed a closing bracket; also the rename command contained an extra space in quotes.)
Hello @socks
Also, try this
| inputlookup networkservers.csv
| rename "IPv4 Address" as src_ip
| join type=outer src_ip
[| search index=* src_ip=* dest_port=*
| stats count by src_ip dest_port]
Hi @socks
Can you try with this
index=*
| lookup networkservers.csv "IPv4 Address" as src_ip OUTPUT src_ip
| stats count by src_ip,dest_port
nope this is not working , as the query seems to think the field src_ip is in the lookup table and it is not