Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare a search field value with a field value in a lookup ?

mah
Builder
‎08-19-2020 11:59 PM

Hi,

My issue is : 

I have a query which contains a "NetworkIterface" field: eni-12345, eni-6789, ...
I have a lookup which contains the list of network interfaces whose ip are public:
I want to be able to create a request which, by combining the search and the lookup, only shows the network interface whose ip are public only.

I have a lookup like that :

ENIPublic IP
eni-1234192.10.10.10
eni-5678192.10.10.11
eni-9012192.10.10.12

 

My search is basic : 

Index=abc sourcetype=xyz NetworkInterface=* 

Thanks for your help !

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rnowitzki
Builder
‎08-20-2020 01:21 AM

Hi @mah ,

This should work:

| makeresults 
| eval ENI = "eni-1234 eni-9012 eni-9013 eni-9015" 
| makemv ENI
| mvexpand ENI

| lookup pubip.csv "ENI"  OUTPUT "Public IP" as IP
| where IP!=""



You only need the lines starting with the lookup command. The ones above that are just to create some sample data.

Sidenote: I recommend to output your "Public IP" field as "IP" (or maybe "PublicIP"), because spaces in field names cause issues. I could not get the "where" command to work correct with "Public IP" as fieldname...

Hope it helps.

BR
Ralph
--
Karma and/or Solution tagging appreciated.

--
Karma and/or Solution tagging appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

rnowitzki
Builder
‎08-20-2020 01:21 AM

Hi @mah ,

This should work:

| makeresults 
| eval ENI = "eni-1234 eni-9012 eni-9013 eni-9015" 
| makemv ENI
| mvexpand ENI

| lookup pubip.csv "ENI"  OUTPUT "Public IP" as IP
| where IP!=""



You only need the lines starting with the lookup command. The ones above that are just to create some sample data.

Sidenote: I recommend to output your "Public IP" field as "IP" (or maybe "PublicIP"), because spaces in field names cause issues. I could not get the "where" command to work correct with "Public IP" as fieldname...

Hope it helps.

BR
Ralph
--
Karma and/or Solution tagging appreciated.

--
Karma and/or Solution tagging appreciated.
Reply
Get Updates on the Splunk Community!

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...