Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using lookup table as source for search

tmwhitm
New Member
‎12-08-2017 10:52 AM

I am looking for a way to perform a search and produce results matching search results against a lookup table or vice versa. The scenario is a lookup table with two columns, IP & Description. I wish to run a search and produce results on the IP addresses that match the IP addresses in the lookup table. My syntax is not correct on what I have been able to test, see below for the SPL I was using. I know there must be a straight forward way to accomplish this task. Much appreciated for any support.

Thank you,
Tom

index="network" sourcetype="cisco:asa" | join src_ip [ search inputlookup append=t FLASHAB000089 | rename IPAddr as src_ip]

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎12-08-2017 11:18 AM

Here's the syntax I use for such cases:

index="network" sourcetype="cisco:asa" 
[ | inputlookup FLASHAB000089 
  | stats values(IPAddr) as src_ip 
  | format ]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

tmwhitm
New Member
‎06-06-2018 12:04 PM

The syntax in the accepted answer works great but when I create a lookup table with UrLs, it does not work. Any ideas on how to use a lookup table with UrLs? I have SPL like this that isn't working,

index="p*" [ | inputlookup UrL-Input | stats values(UrL) as url | format ] | stats count by src_ip,url,action
| sort action

The lookup table UrL-Input contains two columns, URL & Description.

Any assistance is appreciated.

Tom

0 Karma
Reply
Solved! Jump to solution

tmwhitm
New Member
‎12-08-2017 11:30 AM

Just tried it and working with a control IP i added to the lookup table. Thank you very much!

0 Karma
Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎12-08-2017 11:18 AM

Here's the syntax I use for such cases:

index="network" sourcetype="cisco:asa" 
[ | inputlookup FLASHAB000089 
  | stats values(IPAddr) as src_ip 
  | format ]
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...