- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to lookup match on IP return user value within...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have a lookup table that consists of 1 column. It contains IP addresses.
I have search against an index that has fields IP addresses and user Ids.
I want to match the IPs in the search to the lookup column IP Address. If I find a match I want to output the user ID in the event only.
How do I do that?
Thx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this version
index=eventlog sourcetype=elog [| inputlookup iptest.csv | table src | rename src as src_ip ] | table user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if you don't have ip filed in raw data and want use rex to take out IP address ,
plus want know how much data coming from that ip for a day.
index=<YourIDXname>earliest=-1d@d sourcetype =<"if any">
|rex "^[^\t\n]*\t(?P<srcip>[^\t]+)"
| eval size=len(_raw)
| stats sum(size) as bytes by srcip
| eval KB=round(bytes/1024,2)
|lookup iptest.csv local=true ManagementIP as srcip OUTPUT SiteIdentifier HostName DeviceManufactorer DeviceType
| search HostName=*
| dedup srcip
| table SiteIdentifier HostName DeviceManufactorer DeviceType srcip KB
| rename srcip as "Matched IPAddress" |sort by SiteIdentifier DeviceManufactorer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this version
index=eventlog sourcetype=elog [| inputlookup iptest.csv | table src | rename src as src_ip ] | table user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah. Thank you! I see where I had it wrong.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So you only want to see user ID for IP Addresses which are present in the lookup? If yes, try like this (assuming both lookup table and index has field name IP_Address, if they are not same, add a rename command in the subsearch)
your base search e.g. index=foo sourcetype=bar.. [| inputlookup Yourlookup.csv | table IP_Address ]
| table userID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I may have syntax wrong... (but I tried this below to no avail)
lookup table contains a column named 'src'
the ip address field in the event is named 'src_ip', and user field in the event is 'user'
my search is:
index=eventlog sourcetype=elog | table src_ip user
[| inputlookup iptest.csv | table src | rename src as src_ip ] | table user
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
