Splunk Search

Cross referencing to fill in missing details

rattyryan
Explorer

Hi,

I have two .csv files. One contains an IP address with associated output data, a second contains the IP address along with the location and building. How do I go about using both as a source and have a single output to contain the IP address with building, location and associated output data?

I have looked into the use of lookups. Would this work? If I were to create a lookup for csv1 and manually put in empty field for building and location before uploading. And then source the second csv with lookup for csv1 and use a transaction by IP address? Would that work you think?

Tags (2)
0 Karma

ArthurGautesen
Path Finder

You could have any details from csv1 displayed, but this method (providing that IP is a valid field, AND IP is a valid field in csv2) give you access to both lookups of data using IP as the reference. Now, you also have to make certain that IP is a unique value in both csv1 and csv2.

|inputlookup csv1 
| lookup csv2 IP

If IP is not the name of the ip address field in csv1 but is in csv2, then you need to rename it between the two like this

|inputlookup csv1 | rename ipaddress AS IP
| lookup csv2 IP

Hope this helps

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...