Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to combine a search result and an inputlookup file?

gingyish
New Member
‎12-14-2017 08:56 PM

*etc* = removed text for anonymity

I have a very complex search query that input the following table:
Network , Source_IP, count

Search for this: 

sourcetype="etc" index=*etc* EventCode=*etc* field46="*" | rex field=field46 "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:)(?\d+)\s+(?.*)" | dedup ip network | stats values(ip) as Source_IP dc(ip) as count by network   | sort count desc | table network count |  head 100

I need to match Network with an inputlookup file column account. Join/append? Not sure. The inputlookup file looks like this:
Account, department, environment, primary, secondary

The final output needs to show the initial results with added columns = account, primary and secondary data from the inputlookup file. For those with no match, then it just need to show NULL in those 3 new columns.

Final Output Sample:
network, department, primary, secondary, source_IP, count
testuser , null, null, null, 10.10.10.10, 500
testuser1, team2, director1, director2 , 100.10.10.10, 10
testuser3, team4, director3, director4 , 100.10.10.10, 8

Tags (2)
0 Karma
Reply

starcher
Influencer
‎12-15-2017 10:37 AM

The best way is to use the lookup and fillnull.
... | table network count | lookup mynetwork network | fillnull value=null department, primary, secondary

Reply

starcher
Influencer
‎12-15-2017 10:37 AM

and optionally make your lookup a CIDRMATCH one on the network field.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...