Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Use a single field in a lookup table to search across multiple fields?

splunkzilla
Explorer
‎02-07-2023 04:42 PM

I have a simple lookup table that contains a list of IPs.  I'd like to take this list and search across all of my indexes, which don't all use the same fields for source/destination IPs.  What would be the best/most efficient way to search all of these indexes for IP matches?

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-07-2023 05:10 PM

best/most efficient will depends, however, you can do a couple of ways with SPL.

Assuming you have a lookup with a field called 'ip'

your_search [ | inputlookup your_ip_list.csv
  ``` Pick your lookup named ip address field ```
  | fields ip 
  ``` Now for every other field name you want to assign, create a new field
      and assign it to the same IP address ```
  | eval src_ip=ip
  | format "(" "(" "OR" ")" "OR" ")"
]

That will end up with this structure as the return from the subsearch

( ( ip="10.0.0.9" OR src_ip="10.0.0.9" ) OR ( ip="10.0.0.8" OR src_ip="10.0.0.8" ) )

 Note that the first OR in the format statement will change the default AND between the same IP address to OR, allowing it to search all fields.

Note that if you have lots of IP addresses and lots of fields, this will end up as a huge subsearch, so may be less efficient than doing a simple lookup, i.e.

your_search 
| eval lookup_ip = coalesce(ip, src_ip, my_ip, xyz_ip)
| lookup your_ip_list.csv ip as lookup_ip OUTPUT ip as found

This creates a single 'lookup_ip' field which is taken from one of a range of field names and then the simple lookup will return 'found' field as the ip address if it's found

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...