Solved: Lookup based on if statement

donemery · ‎08-15-2019

I am looking to enhance a search with a lookup (if it returns an IP) to replace the value returned in the TID field if it matches an IP instead of a DNS name.

I am experimenting with the following but not sure how to do the lookup correctly if the if statement returns a "yes" (or if using eval is even the best method)

| eval TID=if(cidrmatch("10.0.0.0/8", ), , TID)

Ex:
TID: myhostname.acmerocket.com (Do nothing)

TID: 10.100.0.1 (Replace with hostname from myacmelookup.csv)

Examples of possible fields in myacmelookup.csv

IP: 10.100.0.1

HOST: coyote.acmerocket.com

IP: 10.100.0.2
HOST: myhostname.acmerocket.com

woodcock · ‎08-15-2019

Like this:

... | lookup myacmelookup.csv IP AS TID
| eval TID=coalesce(HOST, TID)
| fields - HOST

View solution in original post

woodcock · ‎08-15-2019

Like this:

... | lookup myacmelookup.csv IP AS TID
| eval TID=coalesce(HOST, TID)
| fields - HOST

donemery · ‎08-21-2019

Thanks for your help!

Lookup based on if statement

.conf25 Global Broadcast: Don’t Miss a Moment

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Are you a member of the Splunk Community?

Lookup based on if statement

.conf25 Global Broadcast: Don’t Miss a Moment

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025