Re: Use Splunk for a Static Value Lookup

JeffBothel · ‎02-27-2018

I have a data store that information is far faster and more reach to get to with Splunk and I am trying to figure out a way to generate information from one piece automatically from this source. In this specific example I tried the following

| inputlookup datastore | search [setfields server_ip="10.22.10.250" | lookup dnslookup clientip as server_ip output clienthost as server_fqdn | fields server_fqdn]

But this is not rendering the information that I am looking for. The IP that I am using does have a corresponding server_fqdn value in the inputlookup datastore specified (I used a known good sample for this). I am hoping someone might be able to spot what I am not seeing in terms of syntax or value handling and offer a suggestion as to how to get this to work.

starcher · ‎03-04-2018

I'm not exactly sure what you intended. But try this as a different way

| makeresults | eval server_ip="10.22.10.250" | lookup dnslookup clients as server_ip output client_host as server_fqdn | lookup datastore server_fqdn OUTPUTNEW

Use Splunk for a Static Value Lookup

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Use Splunk for a Static Value Lookup

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk