I am fairly new to Splunk so forgive me if this is a simple question. I have a lookup table with the following data:
IP_Address,Name,Comment
Each IP_Address field is populated in the table but some of the Name and Comment fields are not.
I have a search of my firewall logs that displays a src IP address and a dst IP address. I would like to replace the actual IP's with values from the lookup table. Basically, I am just needing to rename the src and dst fields to hostnames via a lookup table. I am able to get the lookup table to append (not replace) the data from the lookup table but only for one or the other (src or dst) but I really need it to replace both the src and dst IP's with the Name value from the lookup table.
Here is what I have so far. If someone could help guide me in the correct direction with the second half I would certainly appreciate the help. I have read the lookup documentation and examples but I'm a little confused about how to replace multiple values etc.
index=fwlog src=10.10.10.* |table src, dst |lookup IP_Data.csv IP_Address AS src OUTPUT Name
Thanks!
Like this:
index=fwlog src=10.10.10.* | table src, dst | lookup IP_Data.csv IP_Address AS src OUTPUT Name AS srcName | lookup IP_Data.csv IP_Address AS dst OUTPUT Name AS dstName
So now yo have 4 fields in your table and if you really need to drop down to 2, you can add this:
| table srcName dstName | rename *Name AS *
Like this:
index=fwlog src=10.10.10.* | table src, dst | lookup IP_Data.csv IP_Address AS src OUTPUT Name AS srcName | lookup IP_Data.csv IP_Address AS dst OUTPUT Name AS dstName
So now yo have 4 fields in your table and if you really need to drop down to 2, you can add this:
| table srcName dstName | rename *Name AS *
Thanks! Given your example I was closer than I thought, I wasn't using multiple LOOKUP/OUTPUT commands. Thank you so much!