Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Replacing multiple values in events with data from...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cevans99
New Member
10-20-2015
06:53 AM
I am fairly new to Splunk so forgive me if this is a simple question. I have a lookup table with the following data:
IP_Address,Name,Comment
Each IP_Address field is populated in the table but some of the Name and Comment fields are not.
I have a search of my firewall logs that displays a src IP address and a dst IP address. I would like to replace the actual IP's with values from the lookup table. Basically, I am just needing to rename the src and dst fields to hostnames via a lookup table. I am able to get the lookup table to append (not replace) the data from the lookup table but only for one or the other (src or dst) but I really need it to replace both the src and dst IP's with the Name value from the lookup table.
Here is what I have so far. If someone could help guide me in the correct direction with the second half I would certainly appreciate the help. I have read the lookup documentation and examples but I'm a little confused about how to replace multiple values etc.
index=fwlog src=10.10.10.* |table src, dst |lookup IP_Data.csv IP_Address AS src OUTPUT Name
Thanks!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
10-20-2015
07:18 AM
Like this:
index=fwlog src=10.10.10.* | table src, dst | lookup IP_Data.csv IP_Address AS src OUTPUT Name AS srcName | lookup IP_Data.csv IP_Address AS dst OUTPUT Name AS dstName
So now yo have 4 fields in your table and if you really need to drop down to 2, you can add this:
| table srcName dstName | rename *Name AS *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
10-20-2015
07:18 AM
Like this:
index=fwlog src=10.10.10.* | table src, dst | lookup IP_Data.csv IP_Address AS src OUTPUT Name AS srcName | lookup IP_Data.csv IP_Address AS dst OUTPUT Name AS dstName
So now yo have 4 fields in your table and if you really need to drop down to 2, you can add this:
| table srcName dstName | rename *Name AS *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cevans99
New Member
10-20-2015
08:51 AM
Thanks! Given your example I was closer than I thought, I wasn't using multiple LOOKUP/OUTPUT commands. Thank you so much!
Get Updates on the Splunk Community!
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Splunk App for Anomaly Detection End of Life Announcement
Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
