Solved: looking at multiple columns for a lookup - Splunk Community

Splunk Search

I am trying to lookup to see if sources are sending data into splunk using metadata. The problem is some hosts show up as IP and some hosts show up as hostname. I have a lookup file with fields of host,src_ip and this does not seem to work. The search I am using now is

This works for host:

[| metadata type=hosts | lookup lookup_hosts host as host OUTPUT "host" as is_there | search is_there=* |table host ] | dedup host,sourcetype | table host,sourcetype

This works for src_ip:

[| metadata type=hosts | lookup lookup_hosts src_ip as host OUTPUT host as is_there | search is_there=* |table host ] | dedup host,sourcetype | table host,sourcetype

can i combine the search to search for host OR src_ip

1 Solution

Solution

I got it working:

[| metadata type=hosts | lookup lookup_hosts src_ip as host OUTPUT host as is_there | eval another=if(isnull(is_there), host, null()) | lookup lookup_hosts host as another OUTPUT host as is_there2 | search is_there=* OR is_there2=* |table host ] | dedup host,sourcetype table host

View solution in original post

Solution

I got it working:

[| metadata type=hosts | lookup lookup_hosts src_ip as host OUTPUT host as is_there | eval another=if(isnull(is_there), host, null()) | lookup lookup_hosts host as another OUTPUT host as is_there2 | search is_there=* OR is_there2=* |table host ] | dedup host,sourcetype table host

Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

Unleash the power of Splunk Observability Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...