cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
ATEsiveL
Observer
Member since: ‎09-01-2022
‎09-02-2022
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎09-01-2022
View All

Re: Index to lookup match IP address

by in Splunk Enterprise
‎09-02-2022 04:35 AM
‎09-02-2022 04:35 AM
Thank you for the response. I made this modification this morning, and am still having the same results. No data from the lookup being placed in the target_ip field to determine if there was a match. There may be a better method of trying to match this data, this is just what I had came up with originally. Also, after I added the lookup I am no longer getting the stats count on the right side, or the sort.  Sorry if this is an easy question, I am new to lookup matching. Thank you. (index=name1 OR index=name2 OR index=name3) src_ip_country=United States action=allowed | stats count by src, dest | sort count | reverse | lookup name.csv ip AS src OUTPUT target_ip AS src_target_ip | lookup name.csv ip AS dest OUTPUT target_ip AS dest_target_ip | table target_ip, src, dest   ... View more

Index to lookup match IP address- Why is "target_i...

by in Splunk Enterprise
‎09-01-2022 12:35 PM
‎09-01-2022 12:35 PM
Hello all, Hoping someone may be able to help. I have an internal tool I have an export from in the from of a CSV that has a column named ip. I uploaded this as a inputlookup (name.csv). I verifed I can see the ip information by |inputlookup (name.csv) and the rows of IP addresses show. I have a base search that returns data , and I want to see if any of the src, or dest IP's from my search match the IP addresses listed in my name.csv. I keep running into a search, that returns a few thousand events, although I can search the event between src, and dest and it shows without the lookup. Currently my search looks like this: (index=name1 OR index=name2 OR index=name3) src_ip_country=United States action=allowed | stats count by src, dest | sort count | reverse | lookup name.csv ip OUTPUT target_ip | table target_ip, src, dest   This search provides me a tabled output with src, and dest fields populated, but nothing in the "target_ip" field.  Any ideas? Thank you. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎09-02-2022 09:21 AM