topic Re: Appending lookup fields into search in Splunk Search

Appending lookup fields into search

weetabixsplunk — Thu, 26 May 2022 20:25:47 GMT

Hi guys,

I'm a splunk noob here and I'm going nuts. I know this is an extremely simple search and I can't get it right.
I'm trying to create a search for remote access applications based on our firewall index.

IP cidr will be pulled from a lookup file (network_assets.csv) and matching to the source ip from my events. There's fields from the lookup file that do not exist in the events. I'm particullarly interested in adding this field called usertags (which is included in the lookup).

I am using these links as a reference and I can't get it to work.
https://community.splunk.com/t5/Splunk-Search/How-do-I-append-columns-to-a-search-via-inputlookup-where-the/m-p/402136

My search currently does not give me any results. Any help would be much appreciated

Re: Appending lookup fields into search

SinghK — Thu, 26 May 2022 18:30:59 GMT

try this

Re: Appending lookup fields into search

pbarbuto — Thu, 26 May 2022 18:31:18 GMT

Are you sure that there is a column called cidr in your lookup? If you just run the following what do you see?

| inputlookup network_assets.csv

Re: Appending lookup fields into search

ITWhisperer — Thu, 26 May 2022 18:37:12 GMT

Have you set up advanced options for the lookup, specifically CIDR as the match type?

Define a CSV lookup in Splunk Web - Splunk Documentation

Also, you possibly want to change the lookup to this

| lookup network_assets.csv cidr AS src

Re: Appending lookup fields into search

weetabixsplunk — Thu, 26 May 2022 18:37:15 GMT

I see the lookup itself with the following fields:

cidr description AssetId name Namespace networkId tags usertags

Re: Appending lookup fields into search

weetabixsplunk — Thu, 26 May 2022 18:40:36 GMT

I get a Error in 'lookup' command: Cannot find the destination field 'src' in the lookup table 'network_assets.csv'.

Re: Appending lookup fields into search

richgalloway — Thu, 26 May 2022 19:02:00 GMT

It would help to see a sample event or two and a sample row or two from the lookup file.

It would help immensely if you explained what is meant by "can't get it to work". What results do you get and how do they not meet expectation?

If the lookup file contains CIDR addresses and the index does not then a lookup definition should be created so you can enable CIDR lookups. If that's the case then let us know so we can go into detail on that.

FTR, search performance can be improved by moving the search commands into the base search.

index=fw appcat=Remote.Access app!="RDP" app!="WMI.DCERPC" | lookup network_assets.csv cidr | eval cidr=src | search usertags="*server*" | table src dest app url appcat usertags

Re: Appending lookup fields into search

weetabixsplunk — Thu, 26 May 2022 20:07:57 GMT

Thank you so much for responding ❤️

This is what a sample of the lookup would look like

cidr description AssetId name netNamespace networkId usertags

10.20.16.0/23	London(AD)	aaaa-cucuc-5460-9e-98888	AD-assets	default			Wired\|Server
10.10.34.0/24	Cancun	bb0cuc-9181-51-8957-833357f2a1	Virtualization	default			Wired\|Server

I get a "No results found". I know the search itself does give me results if I input a particular IP address as source, as I know that there's been remote access applications running on server.

Re: Appending lookup fields into search

weetabixsplunk — Thu, 26 May 2022 19:18:00 GMT

I get a "No results found". I know the search itself does give me results if I input a particular IP address as source, as I know that there's been remote access applications running on server.

Re: Appending lookup fields into search

pbarbuto — Thu, 26 May 2022 19:18:23 GMT

try "| lookup network_assets.csv OUTPUT cidr AS src"

Re: Appending lookup fields into search

weetabixsplunk — Thu, 26 May 2022 20:18:11 GMT

Idiot me was doing it all wrong and that answer definitely helped! Thank you!! ❤️

Re: Appending lookup fields into search

weetabixsplunk — Thu, 26 May 2022 20:18:35 GMT

thank you!!!!!!!!!!!!! 🙂