Solved: Re: looking at multiple columns for a lookup - Splunk Community

Splunk Search

I am trying to lookup to see if sources are sending data into splunk using metadata. The problem is some hosts show up as IP and some hosts show up as hostname. I have a lookup file with fields of host,src_ip and this does not seem to work. The search I am using now is

This works for host:

[| metadata type=hosts | lookup lookup_hosts host as host OUTPUT "host" as is_there | search is_there=* |table host ] | dedup host,sourcetype | table host,sourcetype

This works for src_ip:

[| metadata type=hosts | lookup lookup_hosts src_ip as host OUTPUT host as is_there | search is_there=* |table host ] | dedup host,sourcetype | table host,sourcetype

can i combine the search to search for host OR src_ip

1 Solution

Solution

I got it working:

[| metadata type=hosts | lookup lookup_hosts src_ip as host OUTPUT host as is_there | eval another=if(isnull(is_there), host, null()) | lookup lookup_hosts host as another OUTPUT host as is_there2 | search is_there=* OR is_there2=* |table host ] | dedup host,sourcetype table host

View solution in original post

Solution

I got it working:

[| metadata type=hosts | lookup lookup_hosts src_ip as host OUTPUT host as is_there | eval another=if(isnull(is_there), host, null()) | lookup lookup_hosts host as another OUTPUT host as is_there2 | search is_there=* OR is_there2=* |table host ] | dedup host,sourcetype table host

Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members! The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...