Re: multi lookup If the fields are different

nnonm111 · ‎08-31-2021

I'm going to stats through two lookups.
srcip.csv field
src_ip , subnetmaks
dest.csv field
dest_ip,subnetmaks
src_ip , dest_ip , is intended to be used in stats.

ex) index="myindex" |
[ | inputlookup destip.csv]
[ | inputlookup srcip.csv]
stats values(src_ip) AS src_ip by dest_ip

Or is there another way, and if it's different from my index field,
ex)
csv = src_ip myfield = srcip
csv = dest_ip myfield = destip
What should I do if it is?

richgalloway · ‎08-31-2021

What problem are you trying to solve with this query? Does it even produce results?

The inputlookup command reads then entire lookup file, which may not be necessary. It depends on the goal of the search. If the goal is to associate an IP address with a subnet mask then the lookup command may be the better choice. Lookup also lets you associate fields with different names. See the Search Reference manual for details.

The stats command needs a field common to all events to properly group events by that field. In the example query, dest_ip is not that field. Consider using the rename command or the coalesce function to create a field that exists in all events.

---
If this reply helps you, Karma would be appreciated.

multi lookup If the fields are different

field extraction

lookup

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Join the Conversation