Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do you combine indexed data and a inputlookup in one search when the MAC Address matches?

umdterps02
Path Finder
‎09-24-2018 11:39 AM

I have an indexed source from tanium and an inputlookup from nessus. I want to run a search that if the MAC Address matches, it returns everything in | inputlookup nessus_assets.csv and Index=tanium IF the MAC Addresses match.

Index=tanium

Computer Name | Computer Serial Number | Operating System | MAC_Address | IP_Address | Domain_Name | Last_Logged_In_User
GHI.DMZ.Local VMware-42-32-g5-23-c1-9f-5f-91-74-9f-fc-ei-0f-f1-a1-7e Windows 10 00:60:57:94:45:b8 192.158.1.53 bob.jill.net steve
DEF.DMZ.Local VMware-42-45-c5-23-c3-8f-4f-91-74-9f-fc-ey-0f-e1-e1-7d Windows 10 00:57:60:80:30:b10 192.158.1.50 bob.jill.net bill
ABC.DMZ.Local VMware-42-38-x5-24-c2-8t-4f-71-74-9f-fc-ez-0f-e1-t1-7d Windows 10 00:68:63:94:45:b11192.158.1.52 bob.jill.net lisa

| inputlookup nessus_assets.csv

IP Address | MAC Address | DNS Name | Netbios Name | Ownership 
192.158.1.53 00:60:57:94:45:b8 bob.net INTERNAL\MSOFT99\BOB  TESTING
192.158.1.50 00:57:60:80:30:b10 bob.net INTERNAL\MSOFT99\JILL TESTING
192.158.1.52 00:68:63:94:45:b11 bob.net INTERNAL\MSOFT99\JACK  TESTING

Output of combined search I want the result to be joined if the MAC Address matches:

IP Address | MAC Address | DNS Name | Netbios Name | Ownership | Computer Name | Computer Serial Number | Operating System | Domain_Name | Last_Logged_In_User

192.158.1.53 00:60:57:94:45:b8 bob.net INTERNAL\MSOFT99\BOB TESTING GHI.DMZ.Local VMware-42-32-g5-23-c1-9f-5f-91-74-9f-fc-ei-0f-f1-a1-7e Windows 10 00:60:57:94:45:b8 192.158.1.53 bob.jill.net steve

192.158.1.50 00:57:60:80:30:b10 bob.net INTERNAL\MSOFT99\JILL TESTING DEF.DMZ.Local VMware-42-45-c5-23-c3-8f-4f-91-74-9f-fc-ey-0f-e1-e1-7d Windows 10 00:57:60:80:30:b10 192.158.1.50 bob.jill.net bill

192.158.1.52 00:68:63:94:45:b11 bob.net INTERNAL\MSOFT99\JACK TESTING ABC.DMZ.Local VMware-42-38-x5-24-c2-8t-4f-71-74-9f-fc-ez-0f-e1-t1-7d Windows 10 00:68:63:94:45:b11 192.158.1.52 bob.jill.net lisa

Any Ideas?

0 Karma
Reply

maniu1609
Path Finder
‎09-25-2018 06:52 AM

You can use below SPL

Index=tanium | lookup nessus_assets.csv MAC Address as MAC_Address |table

0 Karma
Reply

neelamsantosh
Path Finder
‎09-25-2018 06:48 AM

Search
index= tanium |join MAC_Address [| inputlookup nessus_assets.csv|rename "MAC Address" as MAC_Address]|table MAC_Address ..

0 Karma
Reply

umdterps02
Path Finder
‎09-25-2018 09:06 AM

I get the following error =(

Error in 'join' command: Usage: join ()? [subsearch]
The search job has failed due to an error. You may be able view the job in the Job Inspector.

0 Karma
Reply

Vijeta
Influencer
‎09-24-2018 01:01 PM

you can do a join on the fields IP Address and MAC address from your index to the lookup.

0 Karma
Reply

umdterps02
Path Finder
‎09-25-2018 05:43 AM

I want to join them, but ONLY if the MAC Address matches. I believe a simple join statement won't work.

Any ideas?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...