Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Lookup in a lookup table with multivalue fields

vpaschalidis
Loves-to-Learn
‎03-20-2020 01:49 AM

Hello,

I have a lookup table that looks like below:

dns ip
server1 ip1,ip2,ip3
server2 ip4,ip5,ip6
server3 ip7
server4 ip8,ip9,ip10,ip11

So I have a Splunk search that generates a table with IP addresses and I want to automatically populate the relevant dns names

I use the following but it does not work:
| lookup lookup.csv "ip" AS IpAddress OUTPUT "dns" AS server_name

Any idea how to solve it?

Thanks

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-20-2020 06:33 AM

Lookup tables expect to find the exact string in the given column. They do not do substring matching nor to they support multi-value. IOW, it will not find 'ip2' because the column contains the single value 'ip1,ip2,ip3'.
You will need to restructure the lookup table to have a single IP address in each row.

dns ip
server1 ip1
server1 ip2
server1 ip3
server2 ip4
server2 ip5
server2 ip6
server3 ip7
server4 ip8
server4 ip9
server4 ip10
server4 ip11
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...