Solved: Re: Best way to search using a lookup table?

Jason · ‎10-05-2010

I'm running a search across a bunch of data, say web logs, that has a lot of different src_ips.

I make a lookup of a handful of src_ips that I want to take a look at:

lookup table [iptable]

src_ip
1.2.3.4
1.2.3.5
1.2.4.6

What is the best way to search across all of my data (sourcetype=web, for instance) and ONLY show items matching my lookup file?

gkanapathy · ‎10-05-2010

Assuming there is a field in your data called src_ip, and that you have (say) millions of events and less than a few hundred entries in your lookup table, the most efficient way is probably:

sourcetype=web [ inputlookup iptable | fields src_ip ]

If the field in the sourcetype is called, say, source_address, you could do:

sourcetype=web [ inputlookup iptable | fields src_ip | rename src_ip as souce_address ]

View solution in original post

gkanapathy · ‎10-05-2010

Assuming there is a field in your data called src_ip, and that you have (say) millions of events and less than a few hundred entries in your lookup table, the most efficient way is probably:

sourcetype=web [ inputlookup iptable | fields src_ip ]

If the field in the sourcetype is called, say, source_address, you could do:

sourcetype=web [ inputlookup iptable | fields src_ip | rename src_ip as souce_address ]

Jason · ‎10-05-2010

sourcetype=web | join src_ip [inputlookup iptable] ?

Best way to search using a lookup table?

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!