Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search lookup rename and use values not in CSV file

cdohertypp
New Member
‎06-26-2019 09:27 AM

Wondering can this be done - I'm trying to use IPs (there's 50 of them) from a CSV file for a dashboard to Name ones commonly seen but I would also like to have IPs displayed not in the CSV file to be charted both the field in Splunk and the one in the CSV are called "src".

So far I've been able to translate the IPs in the CSV, but unable to display the whole results without losing the name of the IPs from the CSV file.

What am I doing wrong here? I've tried a number of different ways but suspect its something very simple I've missed

index=fw service=22 dst=22.168.X.X | lookup ip_fw src AS src OUTPUT name_ip | stats count by name_ip

ip_fw csv file
src,name_ip
193.101.X.12,CompanyA
213.101.X.13,CompanyB
103.101.X.12,CompanyC

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎06-27-2019 12:27 AM

Hi @cdohertypp,

You could try to use fillnull or and if statement to fill out all the values that didn't match, I think something like this should do the trick for you:

  index=fw service=22 dst=22.168.X.X | lookup ip_fw src AS src OUTPUT name_ip | eval name_ip=if(isnull(name_ip), src, name_ip) | stats count by name_ip

Let me know if that helps.

Cheers,
David

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎06-27-2019 12:27 AM

Hi @cdohertypp,

You could try to use fillnull or and if statement to fill out all the values that didn't match, I think something like this should do the trick for you:

  index=fw service=22 dst=22.168.X.X | lookup ip_fw src AS src OUTPUT name_ip | eval name_ip=if(isnull(name_ip), src, name_ip) | stats count by name_ip

Let me know if that helps.

Cheers,
David

0 Karma
Reply
Solved! Jump to solution

cdohertypp
New Member
‎06-27-2019 01:24 AM

Thanks mate that did it cheers

but had to change the eval to

eval name_ip=if(isnull(name_ip), src, name_ip)

Gent

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎06-27-2019 01:26 AM

Awesome ! Glad to know it worked, edited the answer and replaced by src 🙂

0 Karma
Reply
Solved! Jump to solution

sandeepmakkena
Contributor
‎06-26-2019 01:42 PM

I can't get what you want here, can you make it clear.

0 Karma
Reply
Solved! Jump to solution

cdohertypp
New Member
‎06-26-2019 11:26 PM

Basically whatever IPs are in the CSV file id like the corresponding compamny name on the chart instead or in addition to the IP in the firewall logs ...but also IPs that are not in the CSV to be displayed also so ive full visibility of all traffic

Hope that makes sense

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...