Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to compare a search result with a lookup?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kranthi851
New Member
06-07-2016
01:03 PM
Hi,
I have to get a result which is not in the lookup file. In the lookup, I have TIME and IP_PN. In the search result, I get the output CURRENTTIME, IP_PN. Now I need to get the output result of IP_PN which is not in the lookup. Can you let me know how to do it?
Search I'm using:
index=123|....|rename _time as currenttime|join IP_PN [|alert.csv]
Result:
currenttime IP_PN time
1465074992.23 10.1.2.3-22 1464988380.57
1465074992.23 10.22.1.1-44e 1464988380.57
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jensonthottian
Contributor
06-09-2016
08:48 AM
index=main source=qualys |rex max_match=0 "UDP_PORT=(?\d+)|TCP_PORT=(?\d+)"|search (PORT=* OR TCP_PORT=* OR UDP_PORT=*)|eval pn=(toString(PORT) + ";" + toString(TCP_PORT) + ";" + toString(UDP_PORT))| makemv delim=";" pn|mvexpand pn |where pn!="Null"|makemv pn|mvexpand pn|eval IP_PN=(toString(IP) + "_" + toString(pn))|dedup IP_PN|rename _time as currenttime| |lookup qualys_alert.csv IP_PN OUTPUTNEW IP_PN AS status|search NOT status=*| table currenttime IP_PN
The above should work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jensonthottian
Contributor
06-09-2016
08:48 AM
index=main source=qualys |rex max_match=0 "UDP_PORT=(?\d+)|TCP_PORT=(?\d+)"|search (PORT=* OR TCP_PORT=* OR UDP_PORT=*)|eval pn=(toString(PORT) + ";" + toString(TCP_PORT) + ";" + toString(UDP_PORT))| makemv delim=";" pn|mvexpand pn |where pn!="Null"|makemv pn|mvexpand pn|eval IP_PN=(toString(IP) + "_" + toString(pn))|dedup IP_PN|rename _time as currenttime| |lookup qualys_alert.csv IP_PN OUTPUTNEW IP_PN AS status|search NOT status=*| table currenttime IP_PN
The above should work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sameera123
Explorer
06-08-2016
03:12 AM
index=123 |lookup alert.csv IP_PN OUTPUTNEW IP_PN AS status|search NOT status=*|table CURRENTTIME,IP_PN
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
06-07-2016
01:07 PM
Try this
index=123 NOT [inputlookup alert.csv | table IP_PN] | table CURENTTIME, IP_PN
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kranthi851
New Member
06-07-2016
02:15 PM
I tried, i'm getting the results, which are in lookup table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-07-2016
02:17 PM
Post your full search that you tried.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kranthi851
New Member
06-07-2016
02:35 PM
index=main source=qualys IP=10.21.16.195 |rex max_match=0 "UDP_PORT=(?\d+)|TCP_PORT=(?\d+)"|search (PORT=* OR TCP_PORT=* OR UDP_PORT=*)|eval pn=(toString(PORT) + ";" + toString(TCP_PORT) + ";" + toString(UDP_PORT))| makemv delim=";" pn|mvexpand pn |where pn!="Null"|makemv pn|mvexpand pn|eval IP_PN=(toString(IP) + "_" + toString(pn))|dedup IP_PN|rename _time as currenttime| search NOT [|inputlookup qualys_alert.csv | table IP_PN] | table currenttime IP_PN
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-07-2016
02:55 PM
Is the format of values of field IP_PN same in both your search results and lookup? Lookup is case sensitive (in case your values contain alphabets)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
06-07-2016
02:53 PM
Try this
index=main source=qualys IP=10.21.16.195 |rex max_match=0 "UDP_PORT=(?\d+)|TCP_PORT=(?\d+)"|search (PORT= OR TCP_PORT= OR UDP_PORT=*)| eval z=mvzip(pn, mvzip(UDP_PORT, TCP_PORT) ) | mvexpand z |where pn!="Null"|eval IP_PN=(toString(IP) + "_" + toString(pn))|dedup IP_PN|rename _time as currenttime| search NOT [|inputlookup qualys_alert.csv | table IP_PN] | table currenttime IP_PN
Get Updates on the Splunk Community!
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
Tuesday, May 14, 2024 | 11AM PT / 2PM ET
Register to Attend
Join us for this Tech Talk and learn how to ...
.conf24 | Personalize your .conf experience with Learning Paths!
Personalize your .conf24 Experience
Learning paths allow you to level up your skill sets and dive deeper ...
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...
