I have created a dashboard that allows for a user to input a public IP address and based on the input, pull back any data associated with that IP into various panels. On one of the panels I would like to pull out the values from a lookup file that I have created based on the user input without having to do any search commands or search through any logs.
Sudo code
$x.x.x.x$ = user input token
src_ip=$x.x.x.x$ | lookup ip_table IP as src_ip OUTPUT Company, Location
I am not sure if this answers your question because it involves a search. Maybe you could use inputlookup.
|inputlookup ip_table |where IP=$x.x.x.x$|fields Company, Location
I am not sure if this answers your question because it involves a search. Maybe you could use inputlookup.
|inputlookup ip_table |where IP=$x.x.x.x$|fields Company, Location
Genius! It's so simple and that is exactly what I was looking didn't even think about using the where in the search. Thanks.
Looking for more help on this. I came across this scenario when no results came back from the lookup table, but I still want to do something with the IP.
Ex.
| inputlookup tablename | where IP="x.x.x.x" | stats count | eval result=if(count==0, IP, Company) | iplocation IP | fields IP, Company, City, Region, Country
So basically if no results come back I still want to return the Geo information on the IP. If there are results then I want the results from the lookup and also return the Geo information.