Splunk Search

Best way to search using a lookup table?

Jason
Motivator

I'm running a search across a bunch of data, say web logs, that has a lot of different src_ips.

I make a lookup of a handful of src_ips that I want to take a look at:

lookup table [iptable]

src_ip
1.2.3.4
1.2.3.5
1.2.4.6

What is the best way to search across all of my data (sourcetype=web, for instance) and ONLY show items matching my lookup file?

Tags (2)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Assuming there is a field in your data called src_ip, and that you have (say) millions of events and less than a few hundred entries in your lookup table, the most efficient way is probably:

sourcetype=web [ inputlookup iptable | fields src_ip ]

If the field in the sourcetype is called, say, source_address, you could do:

sourcetype=web [ inputlookup iptable | fields src_ip | rename src_ip as souce_address ]

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Assuming there is a field in your data called src_ip, and that you have (say) millions of events and less than a few hundred entries in your lookup table, the most efficient way is probably:

sourcetype=web [ inputlookup iptable | fields src_ip ]

If the field in the sourcetype is called, say, source_address, you could do:

sourcetype=web [ inputlookup iptable | fields src_ip | rename src_ip as souce_address ]

Jason
Motivator

sourcetype=web | join src_ip [inputlookup iptable] ?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...