topic Re: Index to lookup match IP address in Splunk Enterprise

Index to lookup match IP address- Why is "target_ip" not showing up on table?

ATEsiveL — Sun, 04 Sep 2022 22:14:38 GMT

Hello all, Hoping someone may be able to help. I have an internal tool I have an export from in the from of a CSV that has a column named ip. I uploaded this as a inputlookup (name.csv). I verifed I can see the ip information by |inputlookup (name.csv) and the rows of IP addresses show.

I have a base search that returns data , and I want to see if any of the src, or dest IP's from my search match the IP addresses listed in my name.csv. I keep running into a search, that returns a few thousand events, although I can search the event between src, and dest and it shows without the lookup.

Currently my search looks like this:

This search provides me a tabled output with src, and dest fields populated, but nothing in the "target_ip" field. Any ideas? Thank you.

Re: Index to lookup match IP address

richgalloway — Thu, 01 Sep 2022 20:10:18 GMT

The lookup is failing because there is no 'ip' field in the indexed data to look up. Use the as option to tell lookup where to find the field.

| lookup name.csv ip as src OUTPUT target_ip as src_target_ip | lookup name.csv ip as dest OUTPUT target_ip as dest_target_ip

Re: Index to lookup match IP address

ATEsiveL — Fri, 02 Sep 2022 11:35:58 GMT

Thank you for the response. I made this modification this morning, and am still having the same results. No data from the lookup being placed in the target_ip field to determine if there was a match. There may be a better method of trying to match this data, this is just what I had came up with originally. Also, after I added the lookup I am no longer getting the stats count on the right side, or the sort. Sorry if this is an easy question, I am new to lookup matching. Thank you.

Re: Index to lookup match IP address

richgalloway — Fri, 02 Sep 2022 20:21:21 GMT

I guess I should have been more explicit in my first reply. Since the lookup commands are returning target_ip as src_target_ip or dest_target_ip there no longer is a target_ip field for the table command to display.

Also, the count is not displayed because the table command did not specify it. That's not related to the lookups.

(index=name1 OR index=name2 OR index=name3) src_ip_country=United States action=allowed | stats count by src, dest | sort - count | lookup name.csv ip AS src OUTPUT target_ip AS src_target_ip | lookup name.csv ip AS dest OUTPUT target_ip AS dest_target_ip | table src_target_ip, src, dest_target_ip, dest, count

BTW, there's no need for reverse after sort if you sort in descending order.