Splunk Search

help to write the request correctly

gitingua
Communicator

Hello guys!!

help to write the request correctly. otherwise I don't understand how to do it right

file.csv

usernameip_address_oldid_olddesti
John192.168.11.51234abcd

 

index = IndexName

usernemip_address_newid_newdesti
John172.168.15.104321bsir

 

Where id_old != id_new. output

usernemip_address_newid_newdestiid_old
John172.168.15.104321bsir1234
Labels (6)
0 Karma
1 Solution

gitingua
Communicator
index=IndexName 
| table username ip_address_new id_new desti
| lookup file.csv username OUTPUT id_old
| where id_new!=id_old

Thanks !!

View solution in original post

0 Karma

somesoni2
Revered Legend

Try something like this:

index=IndexName 
| table username ip_address_new id_new desti
| lookup username file.csv OUTPUT id_old
| where id_new!=id_old

gitingua
Communicator
index=IndexName 
| table username ip_address_new id_new desti
| lookup file.csv username OUTPUT id_old
| where id_new!=id_old

Thanks !!

View solution in original post

0 Karma

gitingua
Communicator

Error in 'lookup' command: Could not construct lookup 'username, file.csv, OUTPUT, id_old'.

0 Karma

somesoni2
Revered Legend

Could you provide the actual query you tried? You may have added commas instead of spaces in lookup command. See this for syntax and example of lookup command: 

https://docs.splunk.com/Documentation/SCS/current/SearchReference/LookupCommandExamples

0 Karma

gitingua
Communicator

index = index

| table username src_ip asn
| lookup username user.csv OUTPUT asn_old
| where asn != asn_old

0 Karma

nmohammed
Contributor

@gitingua 

can you share your search query that you're trying for this result ?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!