0

I have a lookup table that looks like below:

enter image description here

So I have a Splunk query that generates a table with IP addresses and I want to automatically populate the relevant DNS names.

I use the following but it does not work:

Index=servers signature_id=4624
| stats count by IpAddress
**| lookup lookup.csv "ip" AS IpAddress OUTPUT "dns" AS server_name**
| stats count by server_name IpAddress

Any idea how to solve it?

Maybe I need to make something like that before the lookup

| makemv delim="|" ip | mvexpand ip  | fields ip dns ?
Jayampathy Wijesena
  • 1,670
  • 1
  • 18
  • 26
Vpasch
  • 1
  • 2

1 Answers1

0

Splunk lookups use exact, wildcard, or CIDR matching, but they can't pick one of several values. The default is exact, which means the data must precisely match a value in the specified lookup column. In your example, the 'ip' field would have to be "ip1|ip2|ip3" to return "server1".

Wildcard matching refers to having "" in the lookup file. It would allow "ip" to match "subnet1", for example.

CIDR matching allows for CIDR strings in the lookup file, which lets "ip" match "ip1/24", for example.

Both wildcard and CIDR matching must be configured in your lookup definition. See Settings->Lookups->Lookup definitions.

Consider restructuring your lookup file to have a single IP address per line.

dns        ip
server1    ip1
server1    ip2
server1    ip3
server2    ip4
server2    ip5

This will work with your existing query. However, looking up a dns field will only return the first IP address for that server.

RichG
  • 9,063
  • 2
  • 18
  • 29