Getting Data In

How to get a lookup table field and IP match with indexing data and sourcetype?

Splunk_rocks
Path Finder

Splunkers,

Here is my Question.
I have a lookup table with Windows_list.csv and contains IP, Host Name, Application fields.
Now I want to take IP as input from lookup table and search against the current windows index and see how many hosts are reporting to given sourcetype to that index.
QS is I need to verify 3000 hosts from my list against current splunk data (sending data to splunk or not with some sourcetype=win etc.)

0 Karma

niketn
Legend

@Splunk_rocks is the IP address in your sourcetype=win already extracted with some field name? If yes what is it? If not create a field extraction possibly as IP itself so that you dont want to create a field alias to normalize the field across sourcetype and lookup.

If you currently do not have IP address field extracted in your sourcetype=win, you can try the following

index=<your_index_name> sourcetype=win [| inputlookup Windows_list.csv | rename IP as search | table search ]

If you lookup file has IPs like 10.10.201.200 , 10.10.201.201, 10.10.201.202 etc the above is similar to writing the following command.

index=<your_index_name> sourcetype=win 10.10.201.200 10.10.201.201 10.10.201.202 
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

tiagofbmm
Influencer

Hey

What about:

index=windows 
[ | inputlookup Windows_list.csv
 | return IP]
 | stats count(hosts) by sourcetype
0 Karma

Splunk_rocks
Path Finder

Thanks , its not working i need to take IP from my list and search against with splunk index.

0 Karma

tiagofbmm
Influencer

This | inputlookup Windows_list.csv | return IP returns an ORed list of the IPs and is passing them to your index.

What is exactly is not working? Does this index=windows [ | inputlookup Windows_list.csv | return IP] is not getting the events you want for the later stats?

Can you specify what is not working?

0 Karma

Splunk_rocks
Path Finder

Thanks

it just taking only first IP from lookup file

0 Karma

tiagofbmm
Influencer

Right so have the return to include an arbitrary number of IPs, like shown below

 index=windows 
 [ | inputlookup Windows_list.csv
  | return 100000 IP]
  | stats count(hosts) by sourcetype
0 Karma

tiagofbmm
Influencer

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

0 Karma

alemarzu
Motivator

@Splunk_rocks describe ip fieldname in your events and lookup. That would probably help Tiago.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...