Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to compare a search result with a lookup?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kranthi851
New Member
06-07-2016
01:03 PM
Hi,
I have to get a result which is not in the lookup file. In the lookup, I have TIME and IP_PN. In the search result, I get the output CURRENTTIME, IP_PN. Now I need to get the output result of IP_PN which is not in the lookup. Can you let me know how to do it?
Search I'm using:
index=123|....|rename _time as currenttime|join IP_PN [|alert.csv]
Result:
currenttime IP_PN time
1465074992.23 10.1.2.3-22 1464988380.57
1465074992.23 10.22.1.1-44e 1464988380.57
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jensonthottian
Contributor
06-09-2016
08:48 AM
index=main source=qualys |rex max_match=0 "UDP_PORT=(?\d+)|TCP_PORT=(?\d+)"|search (PORT=* OR TCP_PORT=* OR UDP_PORT=*)|eval pn=(toString(PORT) + ";" + toString(TCP_PORT) + ";" + toString(UDP_PORT))| makemv delim=";" pn|mvexpand pn |where pn!="Null"|makemv pn|mvexpand pn|eval IP_PN=(toString(IP) + "_" + toString(pn))|dedup IP_PN|rename _time as currenttime| |lookup qualys_alert.csv IP_PN OUTPUTNEW IP_PN AS status|search NOT status=*| table currenttime IP_PN
The above should work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jensonthottian
Contributor
06-09-2016
08:48 AM
index=main source=qualys |rex max_match=0 "UDP_PORT=(?\d+)|TCP_PORT=(?\d+)"|search (PORT=* OR TCP_PORT=* OR UDP_PORT=*)|eval pn=(toString(PORT) + ";" + toString(TCP_PORT) + ";" + toString(UDP_PORT))| makemv delim=";" pn|mvexpand pn |where pn!="Null"|makemv pn|mvexpand pn|eval IP_PN=(toString(IP) + "_" + toString(pn))|dedup IP_PN|rename _time as currenttime| |lookup qualys_alert.csv IP_PN OUTPUTNEW IP_PN AS status|search NOT status=*| table currenttime IP_PN
The above should work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sameera123
Explorer
06-08-2016
03:12 AM
index=123 |lookup alert.csv IP_PN OUTPUTNEW IP_PN AS status|search NOT status=*|table CURRENTTIME,IP_PN
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
06-07-2016
01:07 PM
Try this
index=123 NOT [inputlookup alert.csv | table IP_PN] | table CURENTTIME, IP_PN
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kranthi851
New Member
06-07-2016
02:15 PM
I tried, i'm getting the results, which are in lookup table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-07-2016
02:17 PM
Post your full search that you tried.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kranthi851
New Member
06-07-2016
02:35 PM
index=main source=qualys IP=10.21.16.195 |rex max_match=0 "UDP_PORT=(?\d+)|TCP_PORT=(?\d+)"|search (PORT=* OR TCP_PORT=* OR UDP_PORT=*)|eval pn=(toString(PORT) + ";" + toString(TCP_PORT) + ";" + toString(UDP_PORT))| makemv delim=";" pn|mvexpand pn |where pn!="Null"|makemv pn|mvexpand pn|eval IP_PN=(toString(IP) + "_" + toString(pn))|dedup IP_PN|rename _time as currenttime| search NOT [|inputlookup qualys_alert.csv | table IP_PN] | table currenttime IP_PN
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-07-2016
02:55 PM
Is the format of values of field IP_PN same in both your search results and lookup? Lookup is case sensitive (in case your values contain alphabets)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
06-07-2016
02:53 PM
Try this
index=main source=qualys IP=10.21.16.195 |rex max_match=0 "UDP_PORT=(?\d+)|TCP_PORT=(?\d+)"|search (PORT= OR TCP_PORT= OR UDP_PORT=*)| eval z=mvzip(pn, mvzip(UDP_PORT, TCP_PORT) ) | mvexpand z |where pn!="Null"|eval IP_PN=(toString(IP) + "_" + toString(pn))|dedup IP_PN|rename _time as currenttime| search NOT [|inputlookup qualys_alert.csv | table IP_PN] | table currenttime IP_PN
Get Updates on the Splunk Community!
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
