Search using lookup

splunkcol · ‎03-08-2021

Hello, I have two indexes to which I need to compare the source ip and if it is the same, show me a message like true or false.

This is what I did, but I know that the lookup is needed and I don't know how to use it well, could you give me a hand?

splunkcol · ‎03-26-2021

@MuS could you help me?

MuS · ‎04-05-2021

Sorry but no! This post is missing all basic details, informations just to be able to actually recapture what problem you might have encountered. Without further details, informations this can not be solved.

Please provide more details like real world events for both indexes and and what you want to achieve.

MuS

ITWhisperer · ‎03-08-2021

Given that appendcols merges the results from the first search with the results from the second search and that neither search in your example use any specific sort, it seems that it may well be random as to whether src equals UserIp.

Perhaps you should be using append to get the results from the second search, then using a stats command to join the two sets of results (you would have to rename or copy either src or UserIp (or both) to a field to "join" them by. Or use an outer join on the two searches.

You can then evaluate whether the ip was present in both searches (as src in one and UserIp in the other).

splunkcol · ‎03-19-2021

How would the code that you suggest me be?

Search using lookup

eval

fields

lookup

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!