Use a single field in a lookup table to search across multiple fields?

splunkzilla — Wed, 08 Feb 2023 00:42:36 GMT

I have a simple lookup table that contains a list of IPs. I'd like to take this list and search across all of my indexes, which don't all use the same fields for source/destination IPs. What would be the best/most efficient way to search all of these indexes for IP matches?

Re: Use a single field in a lookup table to search across multiple fields?

bowesmana — Wed, 08 Feb 2023 01:10:08 GMT

best/most efficient will depends, however, you can do a couple of ways with SPL.

Assuming you have a lookup with a field called 'ip'

your_search [ | inputlookup your_ip_list.csv ``` Pick your lookup named ip address field ``` | fields ip ``` Now for every other field name you want to assign, create a new field and assign it to the same IP address ``` | eval src_ip=ip | format "(" "(" "OR" ")" "OR" ")" ]

That will end up with this structure as the return from the subsearch

( ( ip="10.0.0.9" OR src_ip="10.0.0.9" ) OR ( ip="10.0.0.8" OR src_ip="10.0.0.8" ) )

Note that the first OR in the format statement will change the default AND between the same IP address to OR, allowing it to search all fields.

Note that if you have lots of IP addresses and lots of fields, this will end up as a huge subsearch, so may be less efficient than doing a simple lookup, i.e.

your_search | eval lookup_ip = coalesce(ip, src_ip, my_ip, xyz_ip) | lookup your_ip_list.csv ip as lookup_ip OUTPUT ip as found

This creates a single 'lookup_ip' field which is taken from one of a range of field names and then the simple lookup will return 'found' field as the ip address if it's found

topic Re: Use a single field in a lookup table to search across multiple fields? in Splunk Search

Use a single field in a lookup table to search across multiple fields?

Re: Use a single field in a lookup table to search across multiple fields?