Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

looking at multiple columns for a lookup

troywollenslege
Path Finder
‎12-08-2011 12:40 PM

I am trying to lookup to see if sources are sending data into splunk using metadata. The problem is some hosts show up as IP and some hosts show up as hostname. I have a lookup file with fields of host,src_ip and this does not seem to work. The search I am using now is

This works for host:

[| metadata type=hosts | lookup lookup_hosts host as host OUTPUT "host" as is_there | search is_there=* |table host ] | dedup host,sourcetype | table host,sourcetype

This works for src_ip:

[| metadata type=hosts | lookup lookup_hosts src_ip as host OUTPUT host as is_there | search is_there=* |table host ] | dedup host,sourcetype | table host,sourcetype

can i combine the search to search for host OR src_ip

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

troywollenslege
Path Finder
‎12-08-2011 01:39 PM

I got it working:

[| metadata type=hosts | lookup lookup_hosts src_ip as host OUTPUT host as is_there | eval another=if(isnull(is_there), host, null()) | lookup lookup_hosts host as another OUTPUT host as is_there2 | search is_there=* OR is_there2=* |table host ] | dedup host,sourcetype table host

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

troywollenslege
Path Finder
‎12-08-2011 01:39 PM

I got it working:

[| metadata type=hosts | lookup lookup_hosts src_ip as host OUTPUT host as is_there | eval another=if(isnull(is_there), host, null()) | lookup lookup_hosts host as another OUTPUT host as is_there2 | search is_there=* OR is_there2=* |table host ] | dedup host,sourcetype table host

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...