Splunk Search

Lookup in a lookup table with multivalue fields

vpaschalidis
Loves-to-Learn

Hello,

I have a lookup table that looks like below:

dns ip
server1 ip1,ip2,ip3
server2 ip4,ip5,ip6
server3 ip7
server4 ip8,ip9,ip10,ip11

So I have a Splunk search that generates a table with IP addresses and I want to automatically populate the relevant dns names

I use the following but it does not work:
| lookup lookup.csv "ip" AS IpAddress OUTPUT "dns" AS server_name

Any idea how to solve it?

Thanks

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Lookup tables expect to find the exact string in the given column. They do not do substring matching nor to they support multi-value. IOW, it will not find 'ip2' because the column contains the single value 'ip1,ip2,ip3'.
You will need to restructure the lookup table to have a single IP address in each row.

dns ip
server1 ip1
server1 ip2
server1 ip3
server2 ip4
server2 ip5
server2 ip6
server3 ip7
server4 ip8
server4 ip9
server4 ip10
server4 ip11
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...