Solved: Lookup based on if statement

donemery · ‎08-15-2019

I am looking to enhance a search with a lookup (if it returns an IP) to replace the value returned in the TID field if it matches an IP instead of a DNS name.

I am experimenting with the following but not sure how to do the lookup correctly if the if statement returns a "yes" (or if using eval is even the best method)

| eval TID=if(cidrmatch("10.0.0.0/8", ), , TID)

Ex:
TID: myhostname.acmerocket.com (Do nothing)

TID: 10.100.0.1 (Replace with hostname from myacmelookup.csv)

Examples of possible fields in myacmelookup.csv

IP: 10.100.0.1

HOST: coyote.acmerocket.com

IP: 10.100.0.2
HOST: myhostname.acmerocket.com

woodcock · ‎08-15-2019

Like this:

... | lookup myacmelookup.csv IP AS TID
| eval TID=coalesce(HOST, TID)
| fields - HOST

View solution in original post

woodcock · ‎08-15-2019

Like this:

... | lookup myacmelookup.csv IP AS TID
| eval TID=coalesce(HOST, TID)
| fields - HOST

donemery · ‎08-21-2019

Thanks for your help!

Lookup based on if statement

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation