https://community.splunk.com/t5/Splunk-Search/Lookup-issues/m-p/23546#M4215 <P>I think I'm missing something "the field name"</P> <P>The sanslist.csv is only a list of IP's there is no field name in the one column table. Who do I get the field name in the table or lookup.</P> <P>I am doing a rex piped to a table command to get the IP from a scripted downloaded file and then pipe the table to "outputlookup sanslist.csv" How do I get the field name into this?</P> Tue, 29 Nov 2011 15:22:11 GMT hartfoml 2011-11-29T15:22:11Z https://community.splunk.com/t5/Splunk-Search/Lookup-issues/m-p/23544#M4213 <P>I have a table of bad IP's that I want to use in a search agnest my firewall logs</P> <P>in the past I have done this low tech search </P> <P>sourcetype="cisco_syslog" ("x.x.x.x" OR "y.y.y.y" OR z.z.z.z) # this sometimes takes a long time #</P> <P>this search would find all the firewall logs that have any of the bad IP's. As the list became longer I wanted to use the list from SANS.org. I can automaticly generate the list OK, but how do I use the list in a search?</P> Mon, 28 Nov 2011 21:01:11 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-issues/m-p/23544#M4213 hartfoml 2011-11-28T21:01:11Z https://community.splunk.com/t5/Splunk-Search/Lookup-issues/m-p/23545#M4214 <P>Create a lookup file and put it for instance in an appropriate directory (for instance <CODE>$SPLUNK_HOME/etc/system/lookups</CODE>), then search for IP numbers found in it using a subsearch. Let's say you call the lookup <CODE>sanslist.csv</CODE> and use the field name "ip":</P> <PRE><CODE>sourcetype="cisco_syslog" [| inputlookup sanslist.csv | rename ip AS query | fields query] </CODE></PRE> <P>Some information on the reason for renaming the "ip" field to "query": a subsearch works much like backticks in many *NIX shells, in that it executes first of all and then returns its results to the outer search, which uses this output. Normally if you have a subsearch with "<CODE>| fields foo</CODE>" at the end, the subsearch will return something like this:</P> <PRE><CODE>((foo="val1") OR (foo="val2") OR (foo="val3") ... OR foo="val42")) </CODE></PRE> <P><CODE>query</CODE> is a special field that causes the subsearch to return pure free-text searches rather than searching for values in a particular field. So if <CODE>foo</CODE> were to be renamed to <CODE>query</CODE>, the subsearch would instead return something like this:</P> <PRE><CODE>("val1" OR "val2" OR "val3" ... OR "val42") </CODE></PRE> <P>In your case you want to search for the IP numbers as free-text searches, so that's why the renaming is needed.</P> Mon, 28 Nov 2011 21:22:00 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-issues/m-p/23545#M4214 Ayn 2011-11-28T21:22:00Z https://community.splunk.com/t5/Splunk-Search/Lookup-issues/m-p/23546#M4215 <P>I think I'm missing something "the field name"</P> <P>The sanslist.csv is only a list of IP's there is no field name in the one column table. Who do I get the field name in the table or lookup.</P> <P>I am doing a rex piped to a table command to get the IP from a scripted downloaded file and then pipe the table to "outputlookup sanslist.csv" How do I get the field name into this?</P> Tue, 29 Nov 2011 15:22:11 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-issues/m-p/23546#M4215 hartfoml 2011-11-29T15:22:11Z https://community.splunk.com/t5/Splunk-Search/Lookup-issues/m-p/23547#M4216 <P>If you are passing values to outputlookup you are feeding it with some field value as well. Have a look at this question: <A href="http://splunk-base.splunk.com/answers/5521/specify-fields-for-outputlookup-or-outputcsv">http://splunk-base.splunk.com/answers/5521/specify-fields-for-outputlookup-or-outputcsv</A></P> <P>Or check yourself in the resulting .csv file. The fieldname is in the headers on the first line of the CSV file.</P> Tue, 29 Nov 2011 15:55:14 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-issues/m-p/23547#M4216 Ayn 2011-11-29T15:55:14Z