Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search a Datamodel using field values from a looku...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mztopp
Explorer
02-15-2021
12:30 PM
I have a lookup: test.csv that has a list of 10 IP's (src_ip). I want to be able to search a datamodel that looks for traffic from those 10 IPs in the CSV from the lookup and displays info on the IPs even if it doesn't match. Currently I have tried:
| tstats count from datamodel=DM where
[| inputlookup test.csv | rename src_ip to DM.src_ip
| fields DM.src_ip]
by DM.src_ip
| rename DM.src_ip AS src_ip
| iplocation src_ip
| fillnull value="NULL"
| table src_ip, Country
The issue is that if the IP from the lookup isnt found in the DataModel, it doesn't include that entire line, so instead of 10 IPs with 10 countries, I get maybe 5-6 IPs and their respective countries. I want the DM to always include all 10 IPs from the lookup in the table. I understand that I can just use the lookup to get countries, but I specifically want to have the datamodel available for other data while always including all 10 IPs in the table.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PradReddy
Path Finder
02-15-2021
03:13 PM
If current DM doesn't bring all src_ip related information from subsearch then you can add all src_ip's using an additional inputlookup and append it to DM results
| tstats count from datamodel=DM where
[| inputlookup test.csv
| rename src_ip to DM.src_ip
| fields DM.src_ip]
by DM.src_ip
| rename DM.src_ip AS src_ip
| inputlookup test.csv append=t
| stats values(*) as * by src_ip
| iplocation src_ip
| fillnull value="NULL"
| table src_ip, Country
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PradReddy
Path Finder
02-15-2021
03:13 PM
If current DM doesn't bring all src_ip related information from subsearch then you can add all src_ip's using an additional inputlookup and append it to DM results
| tstats count from datamodel=DM where
[| inputlookup test.csv
| rename src_ip to DM.src_ip
| fields DM.src_ip]
by DM.src_ip
| rename DM.src_ip AS src_ip
| inputlookup test.csv append=t
| stats values(*) as * by src_ip
| iplocation src_ip
| fillnull value="NULL"
| table src_ip, Country
Get Updates on the Splunk Community!
How to send events & findings from AWS to Splunk using Amazon EventBridge
Amazon EventBridge is a serverless service that uses events to connect application components together, making ...
Exciting News: The AppDynamics Community Joins Splunk!
Hello Splunkers,
I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...
The All New Performance Insights for Splunk
Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...
