I am trying to lookup to see if sources are sending data into splunk using metadata. The problem is some hosts show up as IP and some hosts show up as hostname. I have a lookup file with fields of host,src_ip and this does not seem to work. The search I am using now is
This works for host:
[| metadata type=hosts | lookup lookup_hosts host as host OUTPUT "host" as is_there | search is_there=* |table host ] | dedup host,sourcetype | table host,sourcetype
This works for src_ip:
[| metadata type=hosts | lookup lookup_hosts src_ip as host OUTPUT host as is_there | search is_there=* |table host ] | dedup host,sourcetype | table host,sourcetype
can i combine the search to search for host OR src_ip
I got it working:
[| metadata type=hosts | lookup lookup_hosts src_ip as host OUTPUT host as is_there | eval another=if(isnull(is_there), host, null()) | lookup lookup_hosts host as another OUTPUT host as is_there2 | search is_there=* OR is_there2=* |table host ] | dedup host,sourcetype table host
I got it working:
[| metadata type=hosts | lookup lookup_hosts src_ip as host OUTPUT host as is_there | eval another=if(isnull(is_there), host, null()) | lookup lookup_hosts host as another OUTPUT host as is_there2 | search is_there=* OR is_there2=* |table host ] | dedup host,sourcetype table host