topic Re: Questions in Splunk Search

Questions

alnamlahk — Sun, 28 Feb 2021 08:30:49 GMT

Hello everyone,

I have a lookup table which have multiple fields, one of the fields is IP Address of an asset. Additionally, I have an index which contain a list of IPs, that I extract with a certain query. I want to compare the two list of IPs, and then create a new column in my lookup table with ( 0 or 1) value, indicating if there is a match between the IPs.

Any idea how to do that?

Thanks

Re: Questions

gcusello — Sun, 28 Feb 2021 09:19:15 GMT

Hi @alnamlahk,

I hint to see the inputlookup command (https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchReference/Inputlookup).

Anyway, you can insert the inputlookup command in a subsearch and use the results to filter the main search.

The only rule is that the field name in main and sub search must be the same, otherwise you have to rename the one in subsearch.

So if they has the same field name (e.g. "ip_address"), you could use a search like this:

index=your_index [ | inputlookup your_lookup.csv | fields ip_address ] | ...

if instead they have a different field name (e.g. in lookup the field name is "ip"), you have to rename the second one:

index=your_index [ | inputlookup your_lookup.csv | rename ip AS ip_address | fields ip_address ] | ...

Ciao.

Giuseppe

P.S.: see the Splunk Search Tutorial (https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/WelcometotheSearchTutorial)

Re: Questions

alnamlahk — Sun, 28 Feb 2021 10:32:38 GMT

Thank you for your reply.

This will give me all the matched IPs. Now, I want to insert a new column in my lookup table which have "0 or 1" values.

if the IP address is present in my query it will have "1" value, otherwise it will have 0 value.

Re: Questions

gcusello — Sun, 28 Feb 2021 10:44:13 GMT

Hi @alnamlahk,

this is a different thing, try something like this:

but in this way you have in ths lookup the status field only of the last running.

Ciao.

Giuseppe

Re: Questions

alnamlahk — Sun, 28 Feb 2021 11:03:43 GMT

Thank you Giuseppe, really appreciate it my friend.

I used the following query (Adding "dedup IP_Address":

but this way, it's outputting all the IPs from the index, while I want only the IPs from "Asset.csv" (Those are the IPs that I'm interested in)

Re: Questions

gcusello — Sun, 28 Feb 2021 11:13:47 GMT

Hi @alnamlahk,

at first you don't need the dedup before stats!

then, if you want only the IPs from the lookup, you have to filter the results of the main search:

Ciao.

Giuseppe

Re: Questions

alnamlahk — Sun, 28 Feb 2021 12:16:51 GMT

Thank you.

I have minor issue here, some of the IPs in the csv file are not present in my index, so the resulted IPs in the query less than what I have in my CSV. Any idea how to solve this?

Re: Questions

gcusello — Mon, 01 Mar 2021 06:57:32 GMT

Hi @alnamlahk,

let me understand: the problem is that many of the IPs in the lookup to monitor aren't in the index?

If this is your problem I don't know how to help you because the problem in in the sources: the only hint is analyze your sources to understand if you're receiving logs from all the target systems and, if not, why.

A search like the one I hinted is usually used just to understand if there are some machines in the perimeter that don't send logs, usually I do an alert with a similare search to notice to the administrators when a source is stopping.

Tell me if I can give you more help, otherwise, please accept the answer for the other people of community.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉