Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Lookup in a lookup table with multivalue fields

vpaschalidis
Loves-to-Learn
‎03-20-2020 01:49 AM

Hello,

I have a lookup table that looks like below:

dns ip
server1 ip1,ip2,ip3
server2 ip4,ip5,ip6
server3 ip7
server4 ip8,ip9,ip10,ip11

So I have a Splunk search that generates a table with IP addresses and I want to automatically populate the relevant dns names

I use the following but it does not work:
| lookup lookup.csv "ip" AS IpAddress OUTPUT "dns" AS server_name

Any idea how to solve it?

Thanks

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-20-2020 06:33 AM

Lookup tables expect to find the exact string in the given column. They do not do substring matching nor to they support multi-value. IOW, it will not find 'ip2' because the column contains the single value 'ip1,ip2,ip3'.
You will need to restructure the lookup table to have a single IP address in each row.

dns ip
server1 ip1
server1 ip2
server1 ip3
server2 ip4
server2 ip5
server2 ip6
server3 ip7
server4 ip8
server4 ip9
server4 ip10
server4 ip11
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...