topic How to display matching lookup definitions in a search in Splunk Search

How to display matching lookup definitions in a search

thipsz — Mon, 28 Sep 2020 13:26:38 GMT

Is there a way to display lookup definition name or lookup table file name that contains matching value in a search?
Example of query:
source=syslog | dedup src,dst | lookup listA ip_address as dst OUTPUTNEW | lookup listB ip_address as dst OUTPUTNEW | where isbad="true" | table device, src, dst

Expected result:
device src dst listA
device src dst listB
device src dst listA
device src dst listA
...etc

Re: How to display matching lookup definitions in a search

lguinn2 — Wed, 06 Mar 2013 09:44:30 GMT

The only way I can think of to do this, is to add a column to each list. For example:

listA.csv

ip_address,device,listNameA 192.188.17.252,xyz,listA

listB.csv

ip_address,isBad,listNameB 192.188.17.252,true,listB

Then your search would be

source=syslog | dedup src,dst 
| lookup listA ip_address as dst OUTPUTNEW
| lookup listB ip_address as dst OUTPUTNEW 
| where isbad="true" 
| eval listName = listNameA + listNameB
| table device, src, dst, listName

Notice if both lookups work, you could get a listName output that is listAlistB. And of course, I am completely making up where the fields are stored in the lookup tables...

More info would help make a better answer.

Re: How to display matching lookup definitions in a search

thipsz — Wed, 06 Mar 2013 18:40:39 GMT

syslog contains src and dst fields with IP address as value. The goal is to identify src that talks to dst matching any of the IPs in the two lists. The query works as intended, but it would be also nice to know which list contains matching dst IP.
This is being taken from getwatchlist app.