Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Lookup based on if statement

donemery
Explorer
‎08-15-2019 02:58 PM

I am looking to enhance a search with a lookup (if it returns an IP) to replace the value returned in the TID field if it matches an IP instead of a DNS name.

I am experimenting with the following but not sure how to do the lookup correctly if the if statement returns a "yes" (or if using eval is even the best method)

| eval TID=if(cidrmatch("10.0.0.0/8", ), , TID)

Ex:
TID: myhostname.acmerocket.com (Do nothing)

TID: 10.100.0.1 (Replace with hostname from myacmelookup.csv)

Examples of possible fields in myacmelookup.csv

IP: 10.100.0.1

HOST: coyote.acmerocket.com

IP: 10.100.0.2
HOST: myhostname.acmerocket.com

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-15-2019 03:37 PM

Like this:

... | lookup myacmelookup.csv IP AS TID
| eval TID=coalesce(HOST, TID)
| fields - HOST

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-15-2019 03:37 PM

Like this:

... | lookup myacmelookup.csv IP AS TID
| eval TID=coalesce(HOST, TID)
| fields - HOST
0 Karma
Reply
Solved! Jump to solution

donemery
Explorer
‎08-21-2019 09:56 AM

Thanks for your help!

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...