Hello,
I am trying to find missing data in Splunk from a lookup table using inputlookup. My lookup table is:
__netdevices_new__
netdevice,ip,type
host1,10.10.10.1,router
host2,10.10.10.2,router
host3,10.10.10.3,firewall
host4,10.10.10.4,switch
If I run these searches they work just fine:
For __hostnames__:
| inputlookup netdevices_new | search NOT [search index=network | rex field=_raw "^(?:[^ \n]* ){4}(?P[^ ]+)" | dedup netdevice | fields netdevice ]
For __IPs__:
| inputlookup netdevices_new | search NOT [search index=network | rex field=_raw "^(?:[^ \n]* ){4}(?P[^ ]+)" | dedup ip | fields ip ]
How can I search for both netdevice and ip at the same time?
The events in in the network index can have both hostname and ips.
Thank you,
Gerson Garcia
↧