Solved: How to inputlookup on a field that is "rex" genera...

xiangtaner · ‎04-19-2016

Hi,

I have two pieces of data: 1. a list of IP addresses stored in a lookup table host2ips.csv; 2. a source where IP addresses are embedded. So my task is to filter the source and leave only the records with IP addresses in the lookup list.

I got error when I used the following codes. It would be greatly appreciated if someone can advise me on this.

search sourcetype=source1 | rex "...(?<>\S*)..." [inputlookup host2ips.csv | fields ip]

Thanks and Regards,

Wayne

MuS · ‎04-19-2016

Hi xiangtaner,

If I understand your question correct, this search should work for you:

 search sourcetype=source1 | rex "...(?<ip>\S*)..." | search [ | inputlookup host2ips.csv | fields ip]

This will search sourcetype=source1 and rex out the ip and further down the pipe it will search for all ip from the host2ips.csv in sourcetype=source1.

Hope this helps ...

cheers, MuS

PS: there is probably an even more efficient way to do it, by adding the [ | inputlookup to the base search ( everything before the first | ] ....

View solution in original post

MuS · ‎04-19-2016

Hi xiangtaner,

If I understand your question correct, this search should work for you:

 search sourcetype=source1 | rex "...(?<ip>\S*)..." | search [ | inputlookup host2ips.csv | fields ip]

This will search sourcetype=source1 and rex out the ip and further down the pipe it will search for all ip from the host2ips.csv in sourcetype=source1.

Hope this helps ...

cheers, MuS

PS: there is probably an even more efficient way to do it, by adding the [ | inputlookup to the base search ( everything before the first | ] ....

xiangtaner · ‎04-19-2016

Noce, it works, Thanks MuS!

How to inputlookup on a field that is "rex" generated?

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?