- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Replacing multiple values in events with data from...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am fairly new to Splunk so forgive me if this is a simple question. I have a lookup table with the following data:
IP_Address,Name,Comment
Each IP_Address field is populated in the table but some of the Name and Comment fields are not.
I have a search of my firewall logs that displays a src IP address and a dst IP address. I would like to replace the actual IP's with values from the lookup table. Basically, I am just needing to rename the src and dst fields to hostnames via a lookup table. I am able to get the lookup table to append (not replace) the data from the lookup table but only for one or the other (src or dst) but I really need it to replace both the src and dst IP's with the Name value from the lookup table.
Here is what I have so far. If someone could help guide me in the correct direction with the second half I would certainly appreciate the help. I have read the lookup documentation and examples but I'm a little confused about how to replace multiple values etc.
index=fwlog src=10.10.10.* |table src, dst |lookup IP_Data.csv IP_Address AS src OUTPUT Name
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
index=fwlog src=10.10.10.* | table src, dst | lookup IP_Data.csv IP_Address AS src OUTPUT Name AS srcName | lookup IP_Data.csv IP_Address AS dst OUTPUT Name AS dstName
So now yo have 4 fields in your table and if you really need to drop down to 2, you can add this:
| table srcName dstName | rename *Name AS *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
index=fwlog src=10.10.10.* | table src, dst | lookup IP_Data.csv IP_Address AS src OUTPUT Name AS srcName | lookup IP_Data.csv IP_Address AS dst OUTPUT Name AS dstName
So now yo have 4 fields in your table and if you really need to drop down to 2, you can add this:
| table srcName dstName | rename *Name AS *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! Given your example I was closer than I thought, I wasn't using multiple LOOKUP/OUTPUT commands. Thank you so much!
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
