I have an external lookup script that works mostly fine. Given an IP address from an event, it can match the address to a CIDR formatted allocation, showing me what organization the IP belongs to.
Some systems have more than one IP address, and Splunk doesn't seem to want to lookup both IPs, it usually looks up the first, assigns an organization, and then seems to ignore the second. But I need both organization names. An event like:
2011-11-10 09:38:55,blah,cat,dog,"192.168.0.2, 192.168.5.2",foo,bar
Comes back with "org=SectionA" based on the 0.2 address, but what about 5.2? How do I get Splunk to keep looking?
I found that mvexpand does the trick. It makes two separate events, one with each IP. Not exactly what I was hoping for, but close enough to get the job done.
Is this still the case where you can not do lookups on multi value fields?
e.g. I might have a list of 100 hosts similar to: hostname, (ip1, ip2)
I want to add location, sys-owner to this table. Both IPs may have the same location but sys-owner will be differing. lookup table
I want to see something like the following come out for each line.
hostname ip1 Toronto Smith
ip2 Toronto Jones
How would I do this?
| inputlookup mylastresults.csv | makemv delim=" " ip | mvexpand ip
| lookup gatheripinfo ip OUTPUT location sys-owner
| table hostname ip sys-owner
I found that mvexpand does the trick. It makes two separate events, one with each IP. Not exactly what I was hoping for, but close enough to get the job done.
We manipulated the data before adding it to Splunk. However, I really wanted dynamic data, so I kept digging. I found that I can use mvexpand to get both zones out.
I've had a very similar problem with CIDR matching. I'm curious as to how you managed to do this? As far as I know Splunk doesn't do lookups at index time? Or are you manipulating the data before sending to Splunk?
You know, since the zone doesn't change often (or maybe ever) we took our input data and wrote a script to do the lookup and add the zones as an extra field before indexing. No more lookup script.
try using "192.168.0.2" OR "192.168.5.2"
I don't think I can, I have 11.2 million events in here. There's like, 6 digits worth of distinct IPs.