Splunk Search

How do you compare 2 fields in a lookup against a single field in Splunk?

Path Finder

Hi,

I have a lookup with 2 fields, (device and IP) either of which can be used to log in to Splunk as the 'host' field. How can I compare both against the host field?

The ultimate aim is to pull back the last time the device logged in to Splunk, either via the device or the IP field.

0 Karma

SplunkTrust
SplunkTrust

I see at least two options:

  • build a denormalized version of your lookup containing two rows per host, one where host=IP and one where host=device
  • run the original lookup twice and coalesce the output
0 Karma