Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- help to write the request correctly
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gitingua
Communicator
10-21-2021
11:24 AM
Hello guys!!
help to write the request correctly. otherwise I don't understand how to do it right
file.csv
| username | ip_address_old | id_old | desti |
| John | 192.168.11.5 | 1234 | abcd |
index = IndexName
| usernem | ip_address_new | id_new | desti |
| John | 172.168.15.10 | 4321 | bsir |
Where id_old != id_new. output
| usernem | ip_address_new | id_new | desti | id_old |
| John | 172.168.15.10 | 4321 | bsir | 1234 |
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gitingua
Communicator
10-24-2021
08:04 AM
index=IndexName
| table username ip_address_new id_new desti
| lookup file.csv username OUTPUT id_old
| where id_new!=id_oldThanks !!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-21-2021
02:01 PM
Try something like this:
index=IndexName
| table username ip_address_new id_new desti
| lookup username file.csv OUTPUT id_old
| where id_new!=id_old- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gitingua
Communicator
10-24-2021
08:04 AM
index=IndexName
| table username ip_address_new id_new desti
| lookup file.csv username OUTPUT id_old
| where id_new!=id_oldThanks !!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gitingua
Communicator
10-22-2021
04:37 AM
Error in 'lookup' command: Could not construct lookup 'username, file.csv, OUTPUT, id_old'.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-22-2021
07:00 AM
Could you provide the actual query you tried? You may have added commas instead of spaces in lookup command. See this for syntax and example of lookup command:
https://docs.splunk.com/Documentation/SCS/current/SearchReference/LookupCommandExamples
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gitingua
Communicator
10-24-2021
07:52 AM
index = index
| table username src_ip asn
| lookup username user.csv OUTPUT asn_old
| where asn != asn_old
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nmohammed
Builder
10-21-2021
01:47 PM
can you share your search query that you're trying for this result ?
Get Updates on the Splunk Community!
Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1
Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
