Splunk Search

help to write the request correctly

gitingua
Communicator

Hello guys!!

help to write the request correctly. otherwise I don't understand how to do it right

file.csv

usernameip_address_oldid_olddesti
John192.168.11.51234abcd

 

index = IndexName

usernemip_address_newid_newdesti
John172.168.15.104321bsir

 

Where id_old != id_new. output

usernemip_address_newid_newdestiid_old
John172.168.15.104321bsir1234
Labels (5)
0 Karma
1 Solution

gitingua
Communicator
index=IndexName 
| table username ip_address_new id_new desti
| lookup file.csv username OUTPUT id_old
| where id_new!=id_old

Thanks !!

View solution in original post

0 Karma

somesoni2
Revered Legend

Try something like this:

index=IndexName 
| table username ip_address_new id_new desti
| lookup username file.csv OUTPUT id_old
| where id_new!=id_old

gitingua
Communicator
index=IndexName 
| table username ip_address_new id_new desti
| lookup file.csv username OUTPUT id_old
| where id_new!=id_old

Thanks !!

0 Karma

gitingua
Communicator

Error in 'lookup' command: Could not construct lookup 'username, file.csv, OUTPUT, id_old'.

0 Karma

somesoni2
Revered Legend

Could you provide the actual query you tried? You may have added commas instead of spaces in lookup command. See this for syntax and example of lookup command: 

https://docs.splunk.com/Documentation/SCS/current/SearchReference/LookupCommandExamples

0 Karma

gitingua
Communicator

index = index

| table username src_ip asn
| lookup username user.csv OUTPUT asn_old
| where asn != asn_old

0 Karma

nmohammed
Builder

@gitingua 

can you share your search query that you're trying for this result ?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...