Solved: How to use a lookup file to search for ip addresse...

jcaron9999a · ‎08-23-2022

I have a lookup file called ipaddress.csv. The column title in the file is ipaddress. I want to search my logs for all of these ip addresses. I know I need to use inputlookup to get the addresses from the file, but I can't figure out how to then feed them to a search.

Thanks in advance

bowesmana · ‎08-23-2022

This is a subsearch, where the inputlookup is used as a subsearch

your_base_search [ | inputlookup ipaddress.csv | fields ipaddress ]

Here the subsearch ([] section) runs first and returns a structured piece of text with

ipaddress=A OR ipaddress=B OR ipaddress=C

and so on to the outer search. Note that if your ip address field in your main index search is something different, then before the fields command, you should do a rename

| rename ipaddress as your_ip_field

View solution in original post

bowesmana · ‎08-23-2022

This is a subsearch, where the inputlookup is used as a subsearch

your_base_search [ | inputlookup ipaddress.csv | fields ipaddress ]

Here the subsearch ([] section) runs first and returns a structured piece of text with

ipaddress=A OR ipaddress=B OR ipaddress=C

and so on to the outer search. Note that if your ip address field in your main index search is something different, then before the fields command, you should do a rename

| rename ipaddress as your_ip_field

jcaron9999a · ‎08-23-2022

Thanks! That did the trick.

How to use a lookup file to search for ip addresses in my logs?

lookup

subsearch

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Splunk Observability for AI

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

Are you a member of the Splunk Community?