Lookup when format is not equal.

lakromani · ‎03-13-2016

I already have a CSV file for an other app that uses mac to IP/Name.

Format is like this:

mac,ip,host_name
6067.209c.ce2c,10.10.10.186,pc-test
c01a.da25.da0e,10.10.10.163,server
100b.a91e.5cdc,10.10.10.160,phone

Now I have an other input that looks like this:

nic1 BC:F2:AF:C6:F0:25 TX 209 mbps
nic1 BC:F2:AF:C6:F0:18 TX 129 mbps

Is there a way to do a lookup for the mac in the mac to IP/Host file when format is different?

martin_mueller · ‎03-13-2016

You could schedule a search that adds the other format to the lookup file periodically, and use that in your automatic lookup. Something like this:

| inputlookup file
| eval mac2 = coalesce(mac2, replace(replace(upper(mac), "\.", ""), "([^:][^:])(?!$)", "\1:"))
| outputlookup file

You'd have the original value in mac and the other notation in mac2.

jkat54 · ‎03-13-2016

You can use evals to change the format prior to the lookup. I often take everything to lowercase/uppercase prior to joins and lookups. Your requirements would be a bit trickier but Martin has done the tricky eval part it appears.

Lookup when format is not equal.

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Announcing the General Availability of Splunk Enterprise Security 8.1!

Developer Spotlight with William Searle

Are you a member of the Splunk Community?

Lookup when format is not equal.

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Announcing the General Availability of Splunk Enterprise Security 8.1!

Developer Spotlight with William Searle