I am fairly new to Splunk so forgive me if this is a simple question. I have a lookup table with the following data:
IP_Address,Name,Comment
Each IP_Address field is populated in the table but some of the Name and Comment fields are not.
I have a search of my firewall logs that displays a src IP address and a dst IP address. I would like to replace the actual IP's with values from the lookup table. Basically, I am just needing to rename the src and dst fields to hostnames via a lookup table. I am able to get the lookup table to append (not replace) the data from the lookup table but only for one or the other (src or dst) but I really need it to replace both the src and dst IP's with the Name value from the lookup table.
Here is what I have so far. If someone could help guide me in the correct direction with the second half I would certainly appreciate the help. I have read the lookup documentation and examples but I'm a little confused about how to replace multiple values etc.
index=fwlog src=10.10.10.* |table src, dst |lookup IP_Data.csv IP_Address AS src OUTPUT Name
Thanks!
... View more