Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- inputlookup to match a field value using a variabl...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inputlookup to match a field value using a variable
Hello Splunk team, I'm trying to append columns based in a search of a field (Network = Network_CIDR) in Ashland-Networks-EAs.csv , Network_CIDR is a variable, but I don't get any match, not sure why.
sourcetype=ib:ipam:network index=ib_ipam | eval Network_CIDR=address."/".cidr | search view = "Ashland" | eval utilization=round(utilization, 1) | eval allocation=round(allocation, 1) | sort address | rename timestamp as Timestamp, view as "Network View", address as Network, cidr as CIDR, utilization as "DHCPv4 Utilization %", address_total as Total, address_alloc as Allocated, address_reserved as Reserved, address_assigned as Assigned, protocol as Protocol, allocation as "Utilization %", address_unmanaged as Unmanaged | table Timestamp, "Network View", Network, CIDR, Total, Allocated, Reserved, Assigned, Protocol, "Utilization %", Unmanaged, Network_CIDR | appendcols [|inputlookup Ashland-Networks-EAs.csv where (Network = Network_CIDR) | table Site_ID_DDI, Region_DDI, Country_DDI, City_DDI, Comment]
I have changed "where" option by "search" option in the appendcols part, but also is not matching any valuae and I get blank values in the columns added.
sourcetype=ib:ipam:network index=ib_ipam | eval Network_CIDR=address."/".cidr | search view = "Ashland" | eval utilization=round(utilization, 1) | eval allocation=round(allocation, 1) | sort address | rename timestamp as Timestamp, view as "Network View", address as Network, cidr as CIDR, utilization as "DHCPv4 Utilization %", address_total as Total, address_alloc as Allocated, address_reserved as Reserved, address_assigned as Assigned, protocol as Protocol, allocation as "Utilization %", address_unmanaged as Unmanaged, Network_CIDR| table Timestamp, "Network View", Network, CIDR, Total, Allocated, Reserved, Assigned, Protocol, "Utilization %", Unmanaged, Network_CIDR | appendcols [|inputlookup Ashland-Networks-EAs.csv | search Network = Network_CIDR | rename Network as "Network/Mask" | table Network/Mask, Site_ID_DDI, Region_DDI, CountryDDI, City_DDI, Comment]
Basically I want to add new cols from Ashland-Networks-EAs.csv at the end of each row that match with the Network field.
If I do the below search on Ashland-Networks-EAs.csv, I can get the info for 10.168.135.0/24.
|inputlookup Ashland-Networks-EAs.csv |search Network = 10.168.135.0/24| fields Network, Site_ID_DDI, Region_DDI, Country_DDI, City_DDI
Maybe this is not the correct way to do what I want to do, but Thanks in advance for your help.
Omar.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks manjunathmeti for your response, but basically I want to treat the Network/CIDR as a text string, think I don't need to use cdirmatch function. But, maybe I need to do this in a different way.. Is there a way I can set an eval myVariable=[|inputlookup Ashland-Networks-EAs.csv where (Network = Network_CIDR) | table Site_ID_DDI, Region_DDI, Country_DDI, City_DDI, Comment] and add myVariable at the end in the table?
Thanks in davance for your help.
Omar.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA
.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...
A Season of Skills: New Splunk Courses to Light Up Your Learning Journey
