Re: multi lookup If the fields are different

nnonm111 · ‎08-31-2021

I'm going to stats through two lookups.
srcip.csv field
src_ip , subnetmaks
dest.csv field
dest_ip,subnetmaks
src_ip , dest_ip , is intended to be used in stats.

ex) index="myindex" |
[ | inputlookup destip.csv]
[ | inputlookup srcip.csv]
stats values(src_ip) AS src_ip by dest_ip

Or is there another way, and if it's different from my index field,
ex)
csv = src_ip myfield = srcip
csv = dest_ip myfield = destip
What should I do if it is?

richgalloway · ‎08-31-2021

What problem are you trying to solve with this query? Does it even produce results?

The inputlookup command reads then entire lookup file, which may not be necessary. It depends on the goal of the search. If the goal is to associate an IP address with a subnet mask then the lookup command may be the better choice. Lookup also lets you associate fields with different names. See the Search Reference manual for details.

The stats command needs a field common to all events to properly group events by that field. In the example query, dest_ip is not that field. Consider using the rename command or the coalesce function to create a field that exists in all events.

---
If this reply helps you, Karma would be appreciated.

multi lookup If the fields are different

field extraction

lookup

stats

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?