Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Add location to IPs found in lookup or add unknown if missing

khaghsam
New Member
‎02-04-2020 04:29 AM

So I have a string of IPs that are input and trying to figure out how to add the location on them which are stated in a csv.

the input string varies and could looks like for example like this for each host:

ip=1.1.1.1
ip=1.1.1.2|1.2.3.4
ip=1.1.1.5|1.4.4.6|1.2.4.6

meaning each could either have one ip or more, some of these ips are in the location csv some not

so my table from the begining have these values and other empty fields that will be filled later,
*hostname, ip, location, owner *

The ones with information atm are hostname, ip, trying to add location with below, then add the other info after this code as its dependad on it:

**
|inputlookup hostnames.csv
|table hostname ip
| eval ip = split(ip,"|")
| eval numIPs = mvcount(ip)
| eval iVal = mvrange(0,numIPs,1)
.
.
.
...missing...code...
.
.
.
| lookup location_info ip_prefix AS ip OUTPUT location
|table hostname ip location owner
| eval location = if(location="NONE" OR location="Unknown", "Unkown", location)
| streamstats count
| mvexpand location
| dedup count location
| mvcombine location
| fields - count
| lookup owners.csv location OUTPUT owner
| table hostname ip location owner**

when there is 1 ip in the string, this works, but if there is more I have no clue at all how to solve it. I've tried mvexpand, mvcombine, foreach, with no luck or I'm using them wrongly.

can someone share some insight in this?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-04-2020 06:39 AM

This should work.

| inputlookup hostnames.csv
| fields hostname ip
| eval ip = split(ip,"|")
| mvexpand ip
...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

khaghsam
New Member
‎02-04-2020 11:35 PM

| inputlookup hostnames.csv
| fields hostname ip
| eval ip = split(ip,"|")
| mvexpand ip
| lookup location_info ip_prefix AS ip OUTPUT location

Works but the combine part becomes an issue then.
So the output of above becomes:

hostname1 1.1.1.1 location1

hostname1 2.2.2.2 unknown
hostname1 3.3.3.3 location2

depending on how many local/virtual ips the host has.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-05-2020 05:45 AM

What is the desired output?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

khaghsam
New Member
‎02-05-2020 05:58 AM

Something like this:

alt text

https://drive.google.com/open?id=1D5zo70owEnr5teSrWnkfSEU1uZBv6hdf

Now the location field's duplicates need to be removed in case there are, same with owner. (so I guess only unique values)

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...