Solved: Lookup based on if statement

donemery · ‎08-15-2019

I am looking to enhance a search with a lookup (if it returns an IP) to replace the value returned in the TID field if it matches an IP instead of a DNS name.

I am experimenting with the following but not sure how to do the lookup correctly if the if statement returns a "yes" (or if using eval is even the best method)

| eval TID=if(cidrmatch("10.0.0.0/8", ), , TID)

Ex:
TID: myhostname.acmerocket.com (Do nothing)

TID: 10.100.0.1 (Replace with hostname from myacmelookup.csv)

Examples of possible fields in myacmelookup.csv

IP: 10.100.0.1

HOST: coyote.acmerocket.com

IP: 10.100.0.2
HOST: myhostname.acmerocket.com

woodcock · ‎08-15-2019

Like this:

... | lookup myacmelookup.csv IP AS TID
| eval TID=coalesce(HOST, TID)
| fields - HOST

View solution in original post

woodcock · ‎08-15-2019

Like this:

... | lookup myacmelookup.csv IP AS TID
| eval TID=coalesce(HOST, TID)
| fields - HOST

donemery · ‎08-21-2019

Thanks for your help!

Lookup based on if statement

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation