Splunk Search

How to inputlookup on a field that is "rex" generated?

Path Finder

Hi,

I have two pieces of data: 1. a list of IP addresses stored in a lookup table host2ips.csv; 2. a source where IP addresses are embedded. So my task is to filter the source and leave only the records with IP addresses in the lookup list.

I got error when I used the following codes. It would be greatly appreciated if someone can advise me on this.

search sourcetype=source1 | rex "...(?<>\S*)..." [inputlookup host2ips.csv | fields ip]

Thanks and Regards,

Wayne

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi xiangtaner,

If I understand your question correct, this search should work for you:

 search sourcetype=source1 | rex "...(?<ip>\S*)..." | search [ | inputlookup host2ips.csv | fields ip]

This will search sourcetype=source1 and rex out the ip and further down the pipe it will search for all ip from the host2ips.csv in sourcetype=source1.

Hope this helps ...

cheers, MuS

PS: there is probably an even more efficient way to do it, by adding the [ | inputlookup to the base search ( everything before the first | ] ....

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Hi xiangtaner,

If I understand your question correct, this search should work for you:

 search sourcetype=source1 | rex "...(?<ip>\S*)..." | search [ | inputlookup host2ips.csv | fields ip]

This will search sourcetype=source1 and rex out the ip and further down the pipe it will search for all ip from the host2ips.csv in sourcetype=source1.

Hope this helps ...

cheers, MuS

PS: there is probably an even more efficient way to do it, by adding the [ | inputlookup to the base search ( everything before the first | ] ....

View solution in original post

0 Karma

Path Finder

Noce, it works, Thanks MuS!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!