Re: Use Splunk for a Static Value Lookup

JeffBothel · ‎02-27-2018

I have a data store that information is far faster and more reach to get to with Splunk and I am trying to figure out a way to generate information from one piece automatically from this source. In this specific example I tried the following

| inputlookup datastore | search [setfields server_ip="10.22.10.250" | lookup dnslookup clientip as server_ip output clienthost as server_fqdn | fields server_fqdn]

But this is not rendering the information that I am looking for. The IP that I am using does have a corresponding server_fqdn value in the inputlookup datastore specified (I used a known good sample for this). I am hoping someone might be able to spot what I am not seeing in terms of syntax or value handling and offer a suggestion as to how to get this to work.

starcher · ‎03-04-2018

I'm not exactly sure what you intended. But try this as a different way

| makeresults | eval server_ip="10.22.10.250" | lookup dnslookup clients as server_ip output client_host as server_fqdn | lookup datastore server_fqdn OUTPUTNEW

Use Splunk for a Static Value Lookup

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation