Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Lookup when format is not equal.

lakromani
Builder
‎03-13-2016 01:13 PM

I already have a CSV file for an other app that uses mac to IP/Name.

Format is like this:

mac,ip,host_name
6067.209c.ce2c,10.10.10.186,pc-test
c01a.da25.da0e,10.10.10.163,server
100b.a91e.5cdc,10.10.10.160,phone

Now I have an other input that looks like this:

nic1 BC:F2:AF:C6:F0:25 TX 209 mbps
nic1 BC:F2:AF:C6:F0:18 TX 129 mbps

Is there a way to do a lookup for the mac in the mac to IP/Host file when format is different?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-13-2016 02:47 PM

You could schedule a search that adds the other format to the lookup file periodically, and use that in your automatic lookup. Something like this:

| inputlookup file
| eval mac2 = coalesce(mac2, replace(replace(upper(mac), "\.", ""), "([^:][^:])(?!$)", "\1:"))
| outputlookup file

You'd have the original value in mac and the other notation in mac2.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎03-13-2016 02:58 PM

You can use evals to change the format prior to the lookup. I often take everything to lowercase/uppercase prior to joins and lookups. Your requirements would be a bit trickier but Martin has done the tricky eval part it appears.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...