topic Re: How to generate a search to compare the value of a field with a CSV table? in Splunk Search

How to generate a search to compare the value of a field with a CSV table?

soesia12 — Mon, 13 Mar 2017 17:28:58 GMT

Hello!

I'm currently trying to compare the value of a field with a csv table.

I want to compare the destination port (dst_port) with the values of pwhitelist.csv and display the ports that are not included in the csv data.

For example: the csv file consists of the ports 80, 8080, 443 and 8000 want to display all dst_ports that are not 80, 8080, 443 or 8000.

Thanks

Re: How to generate a search to compare the value of a field with a CSV table?

jkat54 — Mon, 13 Mar 2017 17:47:22 GMT

yourBaseSearch NOT [|inputlookup pwhitelist.csv | fields Ports | rename Ports AS dst_port | format]

Re: How to generate a search to compare the value of a field with a CSV table?

soesia12 — Tue, 14 Mar 2017 06:58:20 GMT

Hey!

Doesn't work. It just lists all ports.

In the file there are just a few ports. At the moments it's just for testing.
pwhitelist.csv:

In the file is only one column with the header "Ports".
The values 80,443,8000,8080 are in that column.

Re: How to generate a search to compare the value of a field with a CSV table?

jkat54 — Tue, 14 Mar 2017 11:03:47 GMT

I edited my answer, please try the new version. If dst_port isn't the field name in your index, then change it to the field name you have for the ports in your indexed data.

Re: How to generate a search to compare the value of a field with a CSV table?

soesia12 — Tue, 14 Mar 2017 12:44:15 GMT

thanks so much ! it worked