Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Use Splunk for a Static Value Lookup

JeffBothel
Explorer
‎02-27-2018 10:32 PM

I have a data store that information is far faster and more reach to get to with Splunk and I am trying to figure out a way to generate information from one piece automatically from this source. In this specific example I tried the following

| inputlookup datastore
| search [setfields server_ip="10.22.10.250" | lookup dnslookup clientip as server_ip output clienthost as server_fqdn | fields server_fqdn]

But this is not rendering the information that I am looking for. The IP that I am using does have a corresponding server_fqdn value in the inputlookup datastore specified (I used a known good sample for this). I am hoping someone might be able to spot what I am not seeing in terms of syntax or value handling and offer a suggestion as to how to get this to work.

Tags (1)
0 Karma
Reply

starcher
Influencer
‎03-04-2018 07:32 AM

I'm not exactly sure what you intended. But try this as a different way

| makeresults | eval server_ip="10.22.10.250" | lookup dnslookup clients as server_ip output client_host as server_fqdn | lookup datastore server_fqdn OUTPUTNEW
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...