https://community.splunk.com/t5/Splunk-Search/Multiple-lookups-with-an-OR/m-p/326166#M97254 <P>Thank you. Let me give this a go, and I will respond on the thread. For whatever reason, I did not see this answer. Sorry about that. </P> Thu, 13 Apr 2017 19:20:32 GMT stakor 2017-04-13T19:20:32Z https://community.splunk.com/t5/Splunk-Search/Multiple-lookups-with-an-OR/m-p/326164#M97252 <P>I am looking to use lookups in an OR for a search. Roughly what I want to do is:</P> <PRE><CODE>&lt;search&gt; ((if IP_From_BAD_IP matches destination_IP) OR (if IP_From_BAD_IP matches source_IP)) </CODE></PRE> <P>I am extracting the IPs as below:</P> <PRE><CODE>&lt;main_search&gt; [|inputlookup BAD_IP.csv|table ip_address | rename ipaddress as destination_ip] </CODE></PRE> <P>Clearly, doing:</P> <PRE><CODE>&lt;main_search&gt; [|inputlookup BAD_IP.csv|table ip_address | rename ipaddress as destination_ip] [|inputlookup BAD_IP.csv|table ip_address | rename ipaddress as source_ip] </CODE></PRE> <P>Will not work, as there is an implied AND. Not sure how to extract the lists of IPs to match the source_IP and destination_IP, with an OR. Anyone have any guidance? </P> Tue, 29 Sep 2020 13:38:53 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-lookups-with-an-OR/m-p/326164#M97252 stakor 2020-09-29T13:38:53Z https://community.splunk.com/t5/Splunk-Search/Multiple-lookups-with-an-OR/m-p/326165#M97253 <P>Here's one way...</P> <PRE><CODE>&lt;main search giving source_ip and destination_ip&gt; | join type=left destination_ip [| inputlookup BAD_IP.csv| table ip_address | rename ip_address as ip_address1 | eval destination_ip = ip_address1] | join type=left source_ip [| inputlookup BAD_IP.csv| table ip_address | rename ip_address as ip_address2 | eval source_ip = ip_address2] | where isnotnull(ip_address1) OR isnotnull(ip_address2) </CODE></PRE> <P>... here's another...</P> <PRE><CODE>&lt;main search giving source_ip and destination_ip&gt; | search [|inputlookup BAD_IP.csv | eval destination_ip=ip_address | eval source_ip = ip_address | table source_ip destination_ip | format "(" "(" OR ")" OR ")" ] </CODE></PRE> <P>The latter method should only be used when the csv is pretty small, since the section of code in square brackets <CODE>[...]</CODE> expands to </P> <PRE><CODE>( ( destination_ip="001.001.001.001" OR source_ip="001.001.001.001" ) OR ( destination_ip="002.002.002.002" OR source_ip="002.002.002.002" ) OR ... ) </CODE></PRE> <P>...and a third method, probably more efficient than the above two, but beware the record limits on <CODE>append</CODE>...</P> <PRE><CODE>&lt;main search giving source_ip and destination_ip&gt; | eval ip_address = mvappend(source_ip, destination_ip) | eval IsDetail="Yes" | append [|inputlookup BAD_IP.csv | eval IsBadIP = "Yes" | table ip_address IsBadIP ] | eventstats max(IsBadIP) as IsBadIP by ip_address | where IsBadIP=="Yes" AND IsDetail=="Yes" </CODE></PRE> Wed, 12 Apr 2017 17:01:11 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-lookups-with-an-OR/m-p/326165#M97253 DalJeanis 2017-04-12T17:01:11Z https://community.splunk.com/t5/Splunk-Search/Multiple-lookups-with-an-OR/m-p/326166#M97254 <P>Thank you. Let me give this a go, and I will respond on the thread. For whatever reason, I did not see this answer. Sorry about that. </P> Thu, 13 Apr 2017 19:20:32 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-lookups-with-an-OR/m-p/326166#M97254 stakor 2017-04-13T19:20:32Z