Solved: looking at multiple columns for a lookup - Splunk Community

Splunk Search

I am trying to lookup to see if sources are sending data into splunk using metadata. The problem is some hosts show up as IP and some hosts show up as hostname. I have a lookup file with fields of host,src_ip and this does not seem to work. The search I am using now is

This works for host:

[| metadata type=hosts | lookup lookup_hosts host as host OUTPUT "host" as is_there | search is_there=* |table host ] | dedup host,sourcetype | table host,sourcetype

This works for src_ip:

[| metadata type=hosts | lookup lookup_hosts src_ip as host OUTPUT host as is_there | search is_there=* |table host ] | dedup host,sourcetype | table host,sourcetype

can i combine the search to search for host OR src_ip

1 Solution

Solution

I got it working:

[| metadata type=hosts | lookup lookup_hosts src_ip as host OUTPUT host as is_there | eval another=if(isnull(is_there), host, null()) | lookup lookup_hosts host as another OUTPUT host as is_there2 | search is_there=* OR is_there2=* |table host ] | dedup host,sourcetype table host

View solution in original post

Solution

I got it working:

[| metadata type=hosts | lookup lookup_hosts src_ip as host OUTPUT host as is_there | eval another=if(isnull(is_there), host, null()) | lookup lookup_hosts host as another OUTPUT host as is_there2 | search is_there=* OR is_there2=* |table host ] | dedup host,sourcetype table host

Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open! conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor. HEC Receiver authorization ...