- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do you combine indexed data and a inputloo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you combine indexed data and a inputlookup in one search when the MAC Address matches?
I have an indexed source from tanium and an inputlookup from nessus. I want to run a search that if the MAC Address matches, it returns everything in | inputlookup nessus_assets.csv and Index=tanium IF the MAC Addresses match.
Index=tanium
Computer Name | Computer Serial Number | Operating System | MAC_Address | IP_Address | Domain_Name | Last_Logged_In_User
GHI.DMZ.Local VMware-42-32-g5-23-c1-9f-5f-91-74-9f-fc-ei-0f-f1-a1-7e Windows 10 00:60:57:94:45:b8 192.158.1.53 bob.jill.net steve
DEF.DMZ.Local VMware-42-45-c5-23-c3-8f-4f-91-74-9f-fc-ey-0f-e1-e1-7d Windows 10 00:57:60:80:30:b10 192.158.1.50 bob.jill.net bill
ABC.DMZ.Local VMware-42-38-x5-24-c2-8t-4f-71-74-9f-fc-ez-0f-e1-t1-7d Windows 10 00:68:63:94:45:b11192.158.1.52 bob.jill.net lisa
| inputlookup nessus_assets.csv
IP Address | MAC Address | DNS Name | Netbios Name | Ownership
192.158.1.53 00:60:57:94:45:b8 bob.net INTERNAL\MSOFT99\BOB TESTING
192.158.1.50 00:57:60:80:30:b10 bob.net INTERNAL\MSOFT99\JILL TESTING
192.158.1.52 00:68:63:94:45:b11 bob.net INTERNAL\MSOFT99\JACK TESTING
Output of combined search I want the result to be joined if the MAC Address matches:
IP Address | MAC Address | DNS Name | Netbios Name | Ownership | Computer Name | Computer Serial Number | Operating System | Domain_Name | Last_Logged_In_User
192.158.1.53 00:60:57:94:45:b8 bob.net INTERNAL\MSOFT99\BOB TESTING GHI.DMZ.Local VMware-42-32-g5-23-c1-9f-5f-91-74-9f-fc-ei-0f-f1-a1-7e Windows 10 00:60:57:94:45:b8 192.158.1.53 bob.jill.net steve
192.158.1.50 00:57:60:80:30:b10 bob.net INTERNAL\MSOFT99\JILL TESTING DEF.DMZ.Local VMware-42-45-c5-23-c3-8f-4f-91-74-9f-fc-ey-0f-e1-e1-7d Windows 10 00:57:60:80:30:b10 192.158.1.50 bob.jill.net bill
192.158.1.52 00:68:63:94:45:b11 bob.net INTERNAL\MSOFT99\JACK TESTING ABC.DMZ.Local VMware-42-38-x5-24-c2-8t-4f-71-74-9f-fc-ez-0f-e1-t1-7d Windows 10 00:68:63:94:45:b11 192.158.1.52 bob.jill.net lisa
Any Ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use below SPL
Index=tanium | lookup nessus_assets.csv MAC Address as MAC_Address |table
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search
index= tanium |join MAC_Address [| inputlookup nessus_assets.csv|rename "MAC Address" as MAC_Address]|table MAC_Address ..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I get the following error =(
Error in 'join' command: Usage: join ()? [subsearch]
The search job has failed due to an error. You may be able view the job in the Job Inspector.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can do a join on the fields IP Address and MAC address from your index to the lookup.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to join them, but ONLY if the MAC Address matches. I believe a simple join statement won't work.
Any ideas?
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
