topic Re: Using lookup table as source for search in Splunk Search

Using lookup table as source for search

tmwhitm — Tue, 29 Sep 2020 17:07:40 GMT

I am looking for a way to perform a search and produce results matching search results against a lookup table or vice versa. The scenario is a lookup table with two columns, IP & Description. I wish to run a search and produce results on the IP addresses that match the IP addresses in the lookup table. My syntax is not correct on what I have been able to test, see below for the SPL I was using. I know there must be a straight forward way to accomplish this task. Much appreciated for any support.

Thank you,
Tom

index="network" sourcetype="cisco:asa" | join src_ip [ search inputlookup append=t FLASHAB000089 | rename IPAddr as src_ip]

Re: Using lookup table as source for search

elliotproebstel — Fri, 08 Dec 2017 19:18:21 GMT

Here's the syntax I use for such cases:

index="network" sourcetype="cisco:asa" 
[ | inputlookup FLASHAB000089 
  | stats values(IPAddr) as src_ip 
  | format ]

Re: Using lookup table as source for search

tmwhitm — Fri, 08 Dec 2017 19:30:16 GMT

Just tried it and working with a control IP i added to the lookup table. Thank you very much!

Re: Using lookup table as source for search

tmwhitm — Wed, 06 Jun 2018 19:04:05 GMT

The syntax in the accepted answer works great but when I create a lookup table with UrLs, it does not work. Any ideas on how to use a lookup table with UrLs? I have SPL like this that isn't working,

The lookup table UrL-Input contains two columns, URL & Description.

Any assistance is appreciated.

Tom