Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Lookup based on if statement

donemery
Explorer
‎08-15-2019 02:58 PM

I am looking to enhance a search with a lookup (if it returns an IP) to replace the value returned in the TID field if it matches an IP instead of a DNS name.

I am experimenting with the following but not sure how to do the lookup correctly if the if statement returns a "yes" (or if using eval is even the best method)

| eval TID=if(cidrmatch("10.0.0.0/8", ), , TID)

Ex:
TID: myhostname.acmerocket.com (Do nothing)

TID: 10.100.0.1 (Replace with hostname from myacmelookup.csv)

Examples of possible fields in myacmelookup.csv

IP: 10.100.0.1

HOST: coyote.acmerocket.com

IP: 10.100.0.2
HOST: myhostname.acmerocket.com

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-15-2019 03:37 PM

Like this:

... | lookup myacmelookup.csv IP AS TID
| eval TID=coalesce(HOST, TID)
| fields - HOST

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-15-2019 03:37 PM

Like this:

... | lookup myacmelookup.csv IP AS TID
| eval TID=coalesce(HOST, TID)
| fields - HOST

View solution in original post

0 Karma
Reply
Solved! Jump to solution

donemery
Explorer
‎08-21-2019 09:56 AM

Thanks for your help!

0 Karma
Reply
Get Updates on the Splunk Community!