https://community.splunk.com/t5/Splunk-Search/Lookup-one-column-in-csv-against-multiple-extracted-fields/m-p/143377#M39813 <P>I have a csv file with a blacklist of domain names and IP's. <BR /> ip,domain<BR /> 1.1.1.1,foo.com<BR /> 2.2.2.2,bar.com</P> <P>I am trying to perform a lookup for the ip in csv against the Splunk events. In the events, there are 2 extracted fields src_ip and dest_ip that I want to check against the ip in csv. If a match is found in any of these fields, I would like to set up an alert. </P> <P>If I perform the following search which is looking up 1 field src_ip, it works.<BR /> sourcetype=traffic_logs | dedup src_ip<BR /> | lookup ipLookup ip as src_ip OUTPUT ip as match_found<BR /> | where match_found!="unmatched"</P> <P>But for multiple fields, src_ip and dest_ip, it does not. Here is what I tried:<BR /> sourcetype=traffic_logs | dedup src_ip, dest_ip<BR /> | lookup ipLookup ip as src_ip, ip as dest_ip OUTPUT ip as match_found<BR /> | where match_found!="unmatched"</P> <P>Also tried the following without success:</P> <P>sourcetype=traffic_logs | dedup src_ip, dest_ip<BR /> | lookup ipLookup ip as src_ip OUTPUT ip as src_found<BR /> | where src_found!="unmatched"<BR /> | lookup ipLookup ip as dest_ip OUTPUT ip as dest_found<BR /> | where dest_found!="unmatched"</P> <P>In the same search I would also like to look for any string that matches the value in column "domain" from the csv.</P> <P>Appreciate any help!</P> Mon, 28 Sep 2020 15:17:05 GMT spj2 2020-09-28T15:17:05Z https://community.splunk.com/t5/Splunk-Search/Lookup-one-column-in-csv-against-multiple-extracted-fields/m-p/143377#M39813 <P>I have a csv file with a blacklist of domain names and IP's. <BR /> ip,domain<BR /> 1.1.1.1,foo.com<BR /> 2.2.2.2,bar.com</P> <P>I am trying to perform a lookup for the ip in csv against the Splunk events. In the events, there are 2 extracted fields src_ip and dest_ip that I want to check against the ip in csv. If a match is found in any of these fields, I would like to set up an alert. </P> <P>If I perform the following search which is looking up 1 field src_ip, it works.<BR /> sourcetype=traffic_logs | dedup src_ip<BR /> | lookup ipLookup ip as src_ip OUTPUT ip as match_found<BR /> | where match_found!="unmatched"</P> <P>But for multiple fields, src_ip and dest_ip, it does not. Here is what I tried:<BR /> sourcetype=traffic_logs | dedup src_ip, dest_ip<BR /> | lookup ipLookup ip as src_ip, ip as dest_ip OUTPUT ip as match_found<BR /> | where match_found!="unmatched"</P> <P>Also tried the following without success:</P> <P>sourcetype=traffic_logs | dedup src_ip, dest_ip<BR /> | lookup ipLookup ip as src_ip OUTPUT ip as src_found<BR /> | where src_found!="unmatched"<BR /> | lookup ipLookup ip as dest_ip OUTPUT ip as dest_found<BR /> | where dest_found!="unmatched"</P> <P>In the same search I would also like to look for any string that matches the value in column "domain" from the csv.</P> <P>Appreciate any help!</P> Mon, 28 Sep 2020 15:17:05 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-one-column-in-csv-against-multiple-extracted-fields/m-p/143377#M39813 spj2 2020-09-28T15:17:05Z https://community.splunk.com/t5/Splunk-Search/Lookup-one-column-in-csv-against-multiple-extracted-fields/m-p/143378#M39814 <P>Below search should help you lookup your src_ip and dest_ip in the ipLookup csv file and if anyone matches, you'll have events returned from this search so you can setup alert.</P> <PRE><CODE>sourcetype=traffic_logs | eval joinfield=1|join max=0 joinfield [|inputlookup ipLookup | fields domain | eval joinfield=1] | where LIKE(_raw,"%".domain."%")| dedup src_ip,dest_ip | lookup ipLookup ip as src_ip OUTPUT domain as src_found | lookup ipLookup ip as dest_ip OUTPUT domain as dest_found | eval shouldAlert=case(isnotnull(src_found) OR isnotnull(dest_found),"Yes",1=1,"No") | where shouldAlert="Yes" </CODE></PRE> <H2>Update</H2> <P>Try following</P> <P>sourcetype=traffic_logs |dedup src_ip,dest_ip| eval allIp=src_ip."#".dest_ip| eval joinfield=1|join max=0 joinfield [|inputlookup ipLookup | eval joinfield=1] | where LIKE(allIp,"%".ip."%") </P> <P>Explaination:<BR /> First combine both IP into one field. Then cross join with lookup row [will give you Count of event * count of lookup value rows]. Then search for events where the ip from lookup file is contained in combined ip field. If any match is found, you can set your alert on that.</P> Mon, 28 Sep 2020 15:17:19 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-one-column-in-csv-against-multiple-extracted-fields/m-p/143378#M39814 somesoni2 2020-09-28T15:17:19Z https://community.splunk.com/t5/Splunk-Search/Lookup-one-column-in-csv-against-multiple-extracted-fields/m-p/143379#M39815 <P>Appreciate your response. But this did not work. At this time finding a matching IP is more important than matching the domain. I also tried without using the domain portion of the search, but did not return anything. Since I am using a test csv, I know I have common IP's in both the csv and the logs.</P> Fri, 15 Nov 2013 14:48:12 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-one-column-in-csv-against-multiple-extracted-fields/m-p/143379#M39815 spj2 2013-11-15T14:48:12Z https://community.splunk.com/t5/Splunk-Search/Lookup-one-column-in-csv-against-multiple-extracted-fields/m-p/143380#M39816 <P>try the new option which I updated above.</P> Fri, 15 Nov 2013 20:53:33 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-one-column-in-csv-against-multiple-extracted-fields/m-p/143380#M39816 somesoni2 2013-11-15T20:53:33Z