topic Re: Lookup search wigh showing matched keyword in Splunk Search

Lookup search wigh showing matched keyword

msalghamdi — Tue, 01 Oct 2024 10:01:21 GMT

Hello Splunkers

How can i utilize a lookup in a correlation search showing the detected keyword in the search result ?

its a requirement that the analyst shouldn't have the capability to view lookups

Thanks in advance.

Re: Lookup search wigh showing matched keyword

gcusello — Tue, 01 Oct 2024 10:14:15 GMT

Hi @msalghamdi ,

could you better describe your requirement, eventually with an example?

Ciao.

Giuseppe

Re: Lookup search wigh showing matched keyword

msalghamdi — Tue, 01 Oct 2024 11:01:29 GMT

thanks for the prompt response.

our risk team wants to provide a list of critical project keyword which will be stored as a lookup, and we'd search the DLP logs for any match in the lookup, but the require that the analyst shouldn't have the ability to view the lookup which means that the analyst wouldn't know what keyword matched if the DLP captured more that a file/keyword in one log, so we thought if maybe there's a way we can highlight matched keywords in the search

Re: Lookup search wigh showing matched keyword

gcusello — Tue, 01 Oct 2024 12:07:42 GMT

Hi @msalghamdi ,

it isn't so immediate if you want to search on all the raw events, if instead you want to search on a predefined field it's easier.

In the second case you can use the lookup command, something like this:

<your_search> | lookup your_lookup.csv your_key OUTPUT your_key AS found_key

In the other case there was a solution from @somesoni2 to my same requirement of around 10 years ago, very hard to remember.

Ciao.

Giuseppe

Re: Lookup search wigh showing matched keyword

ITWhisperer — Tue, 01 Oct 2024 12:31:30 GMT

You could try protecting access to the lookup by putting in a kv store and accessing it through a custom command. This custom command would be in an app which is protected from "casual" users with particular roles and permissions. The custom command would return the matching word without disclosing the contents of the lookup. This is not a trivial solution but may at least go some way to meeting your requirement.

Re: Lookup search wigh showing matched keyword

msalghamdi — Tue, 01 Oct 2024 18:54:39 GMT

Hello.

the field in my search is "file_name" while the field in the lookup is called "phrase", i tried to use this but it didnt work:

| lookup my_lookup.csv phrase OUTPUT file_name AS found_key