topic Splunk lookup file - lookup field question in Splunk Search

Splunk lookup file - lookup field question

Pellecrino — Mon, 16 Sep 2024 19:53:50 GMT

Hi all,

I've got a lookup file called devices.csv that contains 2 fields, hostname and ip_address.

The index I'm searching has 2 fields, src_ip and dest_ip.

I'd like to exclude results where both the src_ip and dest_ip fields match an IP address from my lookup file, it doesn't need to be the same IP, it just needs to be listed in that CSV. If either the src_ip field or the dest_ip field doesn't contain an IP address listed in the ip_address field I would expect to see it.

I'm just looking for advice on whether this is the best way of querying the data. Current query:

Re: Splunk lookup file - lookup field question

gcusello — Mon, 16 Sep 2024 16:04:48 GMT

Hi @Pellecrino ,

your search seems to be correct, I'd change the order of the commands, even if it should not be relevant:

Debug the issue running one by one the two conditions.

Ciao.

Giuseppe

Re: Splunk lookup file - lookup field question

PickleRick — Mon, 16 Sep 2024 18:14:43 GMT

While the search is technically more or lese correct, its performance will depend on the use case and with a big lookup you might hit search limits.

Another possible approach would be

<your_base_search>
| lookup my.csv src_ip OUTPUT matchsrc_ip
| lookup my.csv dest_ip OUTPUT matchdest_ip
| where isnull(matchsrc_ip) AND isnull(matchdest_ip)

Re: Splunk lookup file - lookup field question

yuanliu — Tue, 17 Sep 2024 03:22:07 GMT

I agree with @PickleRick that using lookup might be more performant if the lookup file is not very large and there are not many matches. If the lookup is very large, you can eliminate one subsearch because there is only one lookup.

index=network_traffic NOT [inputlookup devices.csv | stats values(ip_address) AS src_ip | eval dest_ip = src_ip]