Solved: Lookup from CSV and output another column

logtastic · ‎06-07-2021

Hello,

I am comparing a host.csv file with two columns "IP" and "DNS" I want to compare the IP column to my base search and also output the DNS column from the CSV. I have the following working by renaming the IP column from my CSV to the src_ip field in Splunk but I need help with outputting the DNS column from excel:

index=test 
    [| inputlookup hosts.csv 
    | rename IP as src_ip
    | fields src_ip]
| stats count(src_ip) by sourcetype

I tried a few things but no luck. Thank you!

venkatasri · ‎06-07-2021

Hi @logtastic

You can try following query.

index=test 
    [| inputlookup hosts.csv 
    | rename IP as src_ip
    | fields src_ip] 
| fields src_ip sourcetype
| lookup hosts.csv IP as src_ip OUTPUTNEW dns
| stats count(src_ip) by sourcetype

-------------

An upvote would be appreciated if it helps!

View solution in original post

venkatasri · ‎06-07-2021

Hi @logtastic

You can try following query.

index=test 
    [| inputlookup hosts.csv 
    | rename IP as src_ip
    | fields src_ip] 
| fields src_ip sourcetype
| lookup hosts.csv IP as src_ip OUTPUTNEW dns
| stats count(src_ip) by sourcetype

-------------

An upvote would be appreciated if it helps!

Lookup from CSV and output another column

field extraction

fields

join

lookup

subsearch

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases