Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Lookup in a lookup table with multivalue fields

vpaschalidis
Loves-to-Learn
‎03-20-2020 01:49 AM

Hello,

I have a lookup table that looks like below:

dns ip
server1 ip1,ip2,ip3
server2 ip4,ip5,ip6
server3 ip7
server4 ip8,ip9,ip10,ip11

So I have a Splunk search that generates a table with IP addresses and I want to automatically populate the relevant dns names

I use the following but it does not work:
| lookup lookup.csv "ip" AS IpAddress OUTPUT "dns" AS server_name

Any idea how to solve it?

Thanks

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-20-2020 06:33 AM

Lookup tables expect to find the exact string in the given column. They do not do substring matching nor to they support multi-value. IOW, it will not find 'ip2' because the column contains the single value 'ip1,ip2,ip3'.
You will need to restructure the lookup table to have a single IP address in each row.

dns ip
server1 ip1
server1 ip2
server1 ip3
server2 ip4
server2 ip5
server2 ip6
server3 ip7
server4 ip8
server4 ip9
server4 ip10
server4 ip11
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...