Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search lookup rename and use values not in CSV file

cdohertypp
New Member
‎06-26-2019 09:27 AM

Wondering can this be done - I'm trying to use IPs (there's 50 of them) from a CSV file for a dashboard to Name ones commonly seen but I would also like to have IPs displayed not in the CSV file to be charted both the field in Splunk and the one in the CSV are called "src".

So far I've been able to translate the IPs in the CSV, but unable to display the whole results without losing the name of the IPs from the CSV file.

What am I doing wrong here? I've tried a number of different ways but suspect its something very simple I've missed

index=fw service=22 dst=22.168.X.X | lookup ip_fw src AS src OUTPUT name_ip | stats count by name_ip

ip_fw csv file
src,name_ip
193.101.X.12,CompanyA
213.101.X.13,CompanyB
103.101.X.12,CompanyC

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎06-27-2019 12:27 AM

Hi @cdohertypp,

You could try to use fillnull or and if statement to fill out all the values that didn't match, I think something like this should do the trick for you:

  index=fw service=22 dst=22.168.X.X | lookup ip_fw src AS src OUTPUT name_ip | eval name_ip=if(isnull(name_ip), src, name_ip) | stats count by name_ip

Let me know if that helps.

Cheers,
David

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎06-27-2019 12:27 AM

Hi @cdohertypp,

You could try to use fillnull or and if statement to fill out all the values that didn't match, I think something like this should do the trick for you:

  index=fw service=22 dst=22.168.X.X | lookup ip_fw src AS src OUTPUT name_ip | eval name_ip=if(isnull(name_ip), src, name_ip) | stats count by name_ip

Let me know if that helps.

Cheers,
David

0 Karma
Reply
Solved! Jump to solution

cdohertypp
New Member
‎06-27-2019 01:24 AM

Thanks mate that did it cheers

but had to change the eval to

eval name_ip=if(isnull(name_ip), src, name_ip)

Gent

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎06-27-2019 01:26 AM

Awesome ! Glad to know it worked, edited the answer and replaced by src 🙂

0 Karma
Reply
Solved! Jump to solution

sandeepmakkena
Contributor
‎06-26-2019 01:42 PM

I can't get what you want here, can you make it clear.

0 Karma
Reply
Solved! Jump to solution

cdohertypp
New Member
‎06-26-2019 11:26 PM

Basically whatever IPs are in the CSV file id like the corresponding compamny name on the chart instead or in addition to the IP in the firewall logs ...but also IPs that are not in the CSV to be displayed also so ive full visibility of all traffic

Hope that makes sense

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...