- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to lookup on all values of a multivalue field?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have an external lookup script that works mostly fine. Given an IP address from an event, it can match the address to a CIDR formatted allocation, showing me what organization the IP belongs to.
Some systems have more than one IP address, and Splunk doesn't seem to want to lookup both IPs, it usually looks up the first, assigns an organization, and then seems to ignore the second. But I need both organization names. An event like:
2011-11-10 09:38:55,blah,cat,dog,"192.168.0.2, 192.168.5.2",foo,bar
Comes back with "org=SectionA" based on the 0.2 address, but what about 5.2? How do I get Splunk to keep looking?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found that mvexpand does the trick. It makes two separate events, one with each IP. Not exactly what I was hoping for, but close enough to get the job done.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this still the case where you can not do lookups on multi value fields?
e.g. I might have a list of 100 hosts similar to: hostname, (ip1, ip2)
I want to add location, sys-owner to this table. Both IPs may have the same location but sys-owner will be differing. lookup table
I want to see something like the following come out for each line.
hostname ip1 Toronto Smith
ip2 Toronto Jones
How would I do this?
| inputlookup mylastresults.csv | makemv delim=" " ip | mvexpand ip
| lookup gatheripinfo ip OUTPUT location sys-owner
| table hostname ip sys-owner
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found that mvexpand does the trick. It makes two separate events, one with each IP. Not exactly what I was hoping for, but close enough to get the job done.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We manipulated the data before adding it to Splunk. However, I really wanted dynamic data, so I kept digging. I found that I can use mvexpand to get both zones out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've had a very similar problem with CIDR matching. I'm curious as to how you managed to do this? As far as I know Splunk doesn't do lookups at index time? Or are you manipulating the data before sending to Splunk?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You know, since the zone doesn't change often (or maybe ever) we took our input data and wrote a script to do the lookup and add the zones as an extra field before indexing. No more lookup script.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try using "192.168.0.2" OR "192.168.5.2"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think I can, I have 11.2 million events in here. There's like, 6 digits worth of distinct IPs.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
