- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Can you help me figure out why our semi-dynami...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Splunk Users,
My main search to find DHCP Discover logs is as below:
index=bluecat (Mac_Address) "DHCPDISCOVER"
| table _time message_option mac_address
What I am trying to achieve is I have a dashboard, so when I search the Username, it gives me all sorts of information about the Username.
My token for the username is $clientip$
I need to look up the Mac_Address from another separate CSV table called bbtable.csv and in this table, it includes the username and mac_address details.
When I run the lookup separately as below:
inputlookup bbtable.csv | search "Username" = AVCxxxxxxxxxxx | fields "MAC" | dedup "MAC"
it returns the required mac_address value I need.
When I combine the sub-search with my main search as below it fails with the message "No results found. Try expanding the time range." 😞
index=bluecat [inputlookup bbtable.csv | search "Username" = AVCxxxxxxxxxxx | fields "MAC" | dedup "MAC"]
| table _time message_option mac_address
Please help
Thank you in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you add format to your subsearch and run it as a search like this:
|inputlookup bbtable.csv | search "Username" = AVCxxxxxxxxxxx | fields "MAC" | dedup "MAC" | format
You will see that it is creating something like ( ( MAC="1:2:3:4:5:6" ) OR ... OR ( MAC="5:6:7:8:9:0" ) ) which is probably not what you would like because the fieldname in your bluecoat logs is not MAC but something else. So do a | rename MAC as <other field name> or use this to do a fieldless search instead:
|inputlookup bbtable.csv | search "Username" = AVCxxxxxxxxxxx | fields "MAC" | dedup "MAC" | format "(" "" "" "" "OR" ")" | rex field=search mode=sed "s/MAC=//g"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you add format to your subsearch and run it as a search like this:
|inputlookup bbtable.csv | search "Username" = AVCxxxxxxxxxxx | fields "MAC" | dedup "MAC" | format
You will see that it is creating something like ( ( MAC="1:2:3:4:5:6" ) OR ... OR ( MAC="5:6:7:8:9:0" ) ) which is probably not what you would like because the fieldname in your bluecoat logs is not MAC but something else. So do a | rename MAC as <other field name> or use this to do a fieldless search instead:
|inputlookup bbtable.csv | search "Username" = AVCxxxxxxxxxxx | fields "MAC" | dedup "MAC" | format "(" "" "" "" "OR" ")" | rex field=search mode=sed "s/MAC=//g"
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
