Splunk Search

How do I use the data from lookup table column as search on live index?

socks
Loves-to-Learn Lots

I just built my first lookup table, because I have a csv of about 200 servers with the in different ip spaces and I need to perform 2 things . 1. confirm the ip's in the csv's are in splunk and 2. display per ip what ports are listening.

So my query has been this 

index=* |stats count by src_ip , dest_port [|inputlookup networkservers.csv | fields "IPv4 Address" | rename "IPv4 Address " as query



I have confirmed the lookup table is there and I can see it , and I can query the network, im just having issues with ingesting the 200+ ips as search items and then marrying the ports and prots with it . thanks in advance if this makes sense or am i looking at it all wrong ?

Labels (4)
Tags (1)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

I think what you mean to do is

index=* [|inputlookup networkservers.csv | fields "IPv4 Address" | rename "IPv4 Address" as src_ip]
| stats count by src_ip, dest_port

 (Note your sample code missed a closing bracket; also the rename command contained  an extra space in quotes.)

0 Karma

Zhanali
Path Finder

Hello @socks 

Also, try this

| inputlookup networkservers.csv
| rename "IPv4 Address" as src_ip
| join type=outer src_ip
    [| search index=* src_ip=* dest_port=*
    | stats count by src_ip dest_port]

 

0 Karma

SanjayReddy
SplunkTrust
SplunkTrust

Hi @socks 

Can you try with this 

index=*
| lookup networkservers.csv "IPv4 Address" as src_ip OUTPUT src_ip
| stats count by src_ip,dest_port

 

0 Karma

socks
Loves-to-Learn Lots

nope this is not working , as the query seems to think the field src_ip is in the lookup table and it is not

 

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Hi Splunky people! We are excited to share the newest updates in Splunk Enterprise 9.3!Admins and Analyst can ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...