I apologize if this has already been answered, but I looked through numerous inquiries on answers.splunk.com and did not find one to match my issue. I have a CSV lookup table of CustID, CustName, src_ip. I am charting the top 10 accesses by scr_ip over a time period. If the src_ip is in the lookup table, I want to display the CustName, else display src_ip.
CustID,CustName,src_ip
99999,Customer1,123.123.123.123
88888,Customer2,123.45.67.8
77777, Customer3,123.67.8.3
...
This is my search:
sourcetype=access_combined | lookup TestIPs.csv src_ip OUTPUT CustName | chart count over CustName| sort -count limit=10
This results in a chart of only the Customer hits, but does not show any information from hits from non-customers. Theoretically, non-customer could be in the top 10 site users.
Sample Output
CustName count
Customer3 10
Customer1 6
Customer2 3
Desired Output
CustName count
111.222.333.4 20
1.2.3.4 15
Customer3 10
4.9.1.6 7
Customer1 6
Customer2 3
1.1.1.1 2
1.2.3.45 1
2.3.4.5 1
3.5.7.9 1
... View more