multi lookup If the fields are different

nnonm111 · ‎08-31-2021

I'm going to stats through two lookups.
srcip.csv field
src_ip , subnetmaks
dest.csv field
dest_ip,subnetmaks
src_ip , dest_ip , is intended to be used in stats.

ex) index="myindex" |
[ | inputlookup destip.csv]
[ | inputlookup srcip.csv]
stats values(src_ip) AS src_ip by dest_ip

Or is there another way, and if it's different from my index field,
ex)
csv = src_ip myfield = srcip
csv = dest_ip myfield = destip
What should I do if it is?

richgalloway · ‎08-31-2021

What problem are you trying to solve with this query? Does it even produce results?

The inputlookup command reads then entire lookup file, which may not be necessary. It depends on the goal of the search. If the goal is to associate an IP address with a subnet mask then the lookup command may be the better choice. Lookup also lets you associate fields with different names. See the Search Reference manual for details.

The stats command needs a field common to all events to properly group events by that field. In the example query, dest_ip is not that field. Consider using the rename command or the coalesce function to create a field that exists in all events.

---
If this reply helps you, Karma would be appreciated.

multi lookup If the fields are different

field extraction

lookup

stats

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!