topic How to match values if already in table in Splunk Search

How to match values if already in table

katmagee — Mon, 27 Apr 2020 18:27:06 GMT

I appended a CSV to an index, and right now my results pop up as the 100 lines of CSV, and then 30K of the index.

What I would like is to only return IF the values in the fw field from the index MATCH a value in the 100 lines of the CSV firewall_rule field... thoughts? I have a match in there currently but it's showing no similarities (even though I manually checked, there are many).

| from inputlookup:"firewall-exception-prod.csv"
| append [ search index=gcp_firewall]
| rename data.jsonPayload.rule_details.reference as FW 
| search FW = "network:prod*" OR firewall_rule=*
| rex field=FW "network:prod-corp/firewall:(?.*)"
| eval result=if(match(fw, firewall_rule),"yes", "no")
| table firewall_rule fw result

Do you know what I'm missing? Thank you!!!

Re: How to match values if already in table

richgalloway — Mon, 27 Apr 2020 19:53:27 GMT

The append command adds the results of its search to the end of the results of the previous search. The two sets of results have no relationship to each other so it's impossible to compare a field in one to a field in the other.

The typical approach to this problem is to put the lookup file in a subsearch. The results of the subsearch become a filter of the main search, getting you indexed events that have a field value in the CSV. It looks something like this:

index=gcp_firewall [ | inputlookup firewall-exception-prod.csv ]
| rename data.jsonPayload.rule_details.reference as FW
| search FW = "network:prod*" OR firewall_rule=
| rex field=FW "network:prod-corp/firewall:(?.)"
| eval result=if(match(fw, firewall_rule),"yes", "no")
| table firewall_rule fw result

The exact query may be different depending on the names of the fields in the lookup.

Re: How to match values if already in table

prachisaxena — Wed, 30 Sep 2020 05:09:18 GMT

Hi,

since you have a CSV file, did you try to use the lookup or join command instead of append, something like below.

search index=gcp_firewall
| rename data.jsonPayload.rule_details.reference as FW
| lookup firewall-exception-prod.csv FW as FWfield outputnew < whatever fields you want to get from csv file>
|search FWfield=*

Re: How to match values if already in table

katmagee — Tue, 28 Apr 2020 17:57:12 GMT

Is this doing the lookup right away though? The issue is a need lines 2-4 to happen before the lookup can occur since I have to change the FW field to fw via rex command....

Re: How to match values if already in table

katmagee — Tue, 28 Apr 2020 18:01:19 GMT

so with this, FWfield is the same field from my csv names firewall_rule, correct? and its checking against FW from the index payload? Want to make sure I'm looking at this right

Re: How to match values if already in table

richgalloway — Wed, 30 Sep 2020 05:10:11 GMT

Yes, the lookup is done first. To do field extraction before the lookup, try this:

index=gcp_firewall
| rename data.jsonPayload.rule_details.reference as FW
| search FW = "network:prod*" OR firewall_rule=
| rex field=FW "network:prod-corp/firewall:(?.)"
| lookup firewall-exception-prod.csv firewall_rule as fw OUTPUT firewall_rule as fw
| eval result=if(isnotnull(fw),"yes", "no")
| table firewall_rule fw result

Re: How to match values if already in table

katmagee — Wed, 29 Apr 2020 13:46:43 GMT

this worked! thanks