topic Re: Compare values from log and lookup in Splunk Search

Compare values from log and lookup

ialahdal — Wed, 23 Oct 2019 05:12:17 GMT

I have a lookup table that contains the data similar to the:
Service_name, IP, Port HTTPS, 10.10.10.10, 443 DNS, 10.10.10.11, 80

What I am trying to achieve is to make a search that'll compare existing IPs and ports from the logs that are in fields destip, destport and return values that match both, i.e. if "destip = IP & destport = Port then return service_name but I don't know how to achieve this in SPL.

I can match destip with the IP from the lookup and return a new field for service_name based on that but that doesn't help me achieve what I need

| lookup service_lookup IP AS destip OUTPUTNEW service_name

Thank you.

Re: Compare values from log and lookup

to4kawa — Wed, 23 Oct 2019 06:13:48 GMT

| makeresults
| eval ip="10.10.10.9,10.10.10.10,10.10.10.11,10.10.10.12,10.10.10.13"
| eval port="8,8,8,8,8"
| makemv delim="," ip
| makemv delim="," port
| eval tmp=mvzip(ip,port)
| mvexpand tmp
| rex field=tmp "(?<IP>[^,]+),(?<Port>[^,]+)"
| fields IP,Port
| join IP Port
 [| stats count
| eval _raw="service_name, IP, Port
HTTPS,10.10.10.10,443
DNS,10.10.10.11,8"
| multikv forceheader=1
| fields - _*
| fields service_name IP Port]

Hi, this is sample query.

your search query
| join destip destport [| inputlookup service_lookup
| rename IP as destip
| rename Port as destport]

How about this?

Re: Compare values from log and lookup

ialahdal — Wed, 23 Oct 2019 08:08:08 GMT

I was able to get what I wanted off of what you had here, eventually even decreased the search query to | lookup service_lookup IP as destip Port as destport OUTPUTNEW service_name
Which matched the port & ip from the logs to the table and then created a new field named "service_name" based on the results.

Re: Compare values from log and lookup

to4kawa — Wed, 23 Oct 2019 08:38:52 GMT

So that's it.
It will be helpful. Thanks.