- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Match value from lookup table to values of specific fields
Hi,
How to match lookup table of ip addresses with the existing field value of host_ip
I want to display IP addresses as a search result once it matches the value from the lookup file with the existing field host_ip addresses based on event code.
I have a list of sensitive server's IP addresses in lookup file .csv Now I would like to match IP address with the existing field host_ip based on specified event code and want to display matched IP's as a search result.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey @onkarkore1
Take a look at the documentation of lookup command.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Lookup
As per your question, you have host_ip field in raw data and let suppose you have IP field and Event_Code in lookup csv.
So run below search in order to get matched_ip's as mentioned in your question.
<base_search>
| lookup mylookup.csv IP as "host_ip" OUTPUT Event_Code
| search Event_Code=*
| dedup host_ip
| table host_ip
| rename host_ip as "Matched Host IP's"
Let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Mayur,
Thanks for your response, As per my question I have a src field in raw data and I have a server_ip column (only one column) in csv lookup
Now I would like to configure the search query which will return the list of servers matching from lookup table to raw_field's servers value based on the given Event_Code.
I will be thankful if you can suggest here.
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As there is only one column in csv. You can not match based on event code as there is no relevance of event code.
However you can still match host ips.
index=<your_index> [ | inputlookup mylookup.csv | dedup server_ip | table server_ip | rename server_ip as src ] | stats count by src | table src
If this does not work then try this
index=<your_index> | dedup src | table src |join src [| inputlookup mylookup.csv | dedup server_ip | rename server_ip as src ]
Let me know if this helps !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lookup <lookup-table-name> <lookup-field1> AS <local-field1> OUTPUTNEW <lookup-destfield1> AS <local-destfield1>, <lookup-destfield2> AS <local-destfield2>
the only thing you must be aware of, is that the local-field should exists if you use it in a lookup. mention lookup field name which you are matching with event code
<base_search>|lookup lookup.csv ip AS host_ip OUTPUTNEW ip_address
here I assume lookup field name as ip to match with host_ip in event and ip_address as field in lookup to display server's IP addresses ..so change field name as per your requirement
