Solved: How to use a lookup file to search for ip addresse...

jcaron9999a · ‎08-23-2022

I have a lookup file called ipaddress.csv. The column title in the file is ipaddress. I want to search my logs for all of these ip addresses. I know I need to use inputlookup to get the addresses from the file, but I can't figure out how to then feed them to a search.

Thanks in advance

bowesmana · ‎08-23-2022

This is a subsearch, where the inputlookup is used as a subsearch

your_base_search [ | inputlookup ipaddress.csv | fields ipaddress ]

Here the subsearch ([] section) runs first and returns a structured piece of text with

ipaddress=A OR ipaddress=B OR ipaddress=C

and so on to the outer search. Note that if your ip address field in your main index search is something different, then before the fields command, you should do a rename

| rename ipaddress as your_ip_field

View solution in original post

bowesmana · ‎08-23-2022

This is a subsearch, where the inputlookup is used as a subsearch

your_base_search [ | inputlookup ipaddress.csv | fields ipaddress ]

Here the subsearch ([] section) runs first and returns a structured piece of text with

ipaddress=A OR ipaddress=B OR ipaddress=C

and so on to the outer search. Note that if your ip address field in your main index search is something different, then before the fields command, you should do a rename

| rename ipaddress as your_ip_field

jcaron9999a · ‎08-23-2022

Thanks! That did the trick.

How to use a lookup file to search for ip addresses in my logs?

lookup

subsearch

Accelerating Observability as Code with the Splunk AI Assistant

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Join the Conversation