Splunk Search

If I have an IP address from a search, how do I look for its hostname from a lookup table?

np_hwp
Engager

Hello experts, 

If I have only IP address of  hosts from a search, how do I look for its hostname from a lookup table?

Let say, I search, index=network_device.   

I have a lookup table that contains IP address and host names of all assets.

Labels (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Let's assume the network_device index contains a field called ip_address that holds the IP address of a host.  Let's also assume you have a lookup table called hostnames.csv with two fields: ip_address and hostname.

To get a host name from an IP address, a query might look something like this.

index=network_device ip_address=*
| lookup hostnames.csv ip_address OUTPUT hostname
| table ip_address hostname

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @np_hwp,

if the field in your lookup are called ip and hostname and the field in the search is called ip, you could run something like this:

index=network_device
| lookup your_lookup.csv ip OUTPUT hostname
| table ip hostname

For more infos see the lookup command https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Lookup 

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @np_hwp,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors :winking_face:

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Let's assume the network_device index contains a field called ip_address that holds the IP address of a host.  Let's also assume you have a lookup table called hostnames.csv with two fields: ip_address and hostname.

To get a host name from an IP address, a query might look something like this.

index=network_device ip_address=*
| lookup hostnames.csv ip_address OUTPUT hostname
| table ip_address hostname

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...