Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to combine a search result and an inputlookup file?

gingyish
New Member
‎12-14-2017 08:56 PM

*etc* = removed text for anonymity

I have a very complex search query that input the following table:
Network , Source_IP, count

Search for this: 

sourcetype="etc" index=*etc* EventCode=*etc* field46="*" | rex field=field46 "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:)(?\d+)\s+(?.*)" | dedup ip network | stats values(ip) as Source_IP dc(ip) as count by network   | sort count desc | table network count |  head 100

I need to match Network with an inputlookup file column account. Join/append? Not sure. The inputlookup file looks like this:
Account, department, environment, primary, secondary

The final output needs to show the initial results with added columns = account, primary and secondary data from the inputlookup file. For those with no match, then it just need to show NULL in those 3 new columns.

Final Output Sample:
network, department, primary, secondary, source_IP, count
testuser , null, null, null, 10.10.10.10, 500
testuser1, team2, director1, director2 , 100.10.10.10, 10
testuser3, team4, director3, director4 , 100.10.10.10, 8

Tags (2)
0 Karma
Reply

starcher
Influencer
‎12-15-2017 10:37 AM

The best way is to use the lookup and fillnull.
... | table network count | lookup mynetwork network | fillnull value=null department, primary, secondary

Reply

starcher
Influencer
‎12-15-2017 10:37 AM

and optionally make your lookup a CIDRMATCH one on the network field.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...