Dashboards & Visualizations

1 search, 2 sourcetypes, 1 lookup file

mcm10285
Communicator

Is it possible to use one lookup table for 2 sourcetypes in a single search? For example, lookup.csv contains IP and Category. I would like to alert on IPs matching the lookup.csv from cisco firewalls (e.g. sourcetype=asa, match with field "dest_ip") and proxy gateways (sourcetype=bcoat, match with field "dst"). Assumption is there are no similar fields between the two sourcetypes.

sourcetype=asa OR sourcetype=bcoat[|inputlookup lookup.csv..........]

Tags (1)
0 Karma

lguinn2
Legend

Use the rename command to make the fields the same name, or use eval to create the appropriate key.

I am not sure why you are using the inputlookup command however. For inputlookup, there is no key.

sourcetype=asa OR sourcetype=bcoat
| rename dest_ip as IP, dst as IP
| lookup ip_lookup IP

I don't think you can simply refer to the lookup.csv file in the lookup command. In my example, I assumed that you defined a lookup called ip_lookup.

0 Karma

stefano_guidoba
Communicator

You could try entering the lookup 2 times like this:

sourcetype=asa OR sourcetype=bcoat | lookup lookup.csv IP as dest_ip OUTPUT Category | lookup lookup.csv IP as dst OUTPUT Category | ...

However, I suggest you override sourcetype definitions in order to extract two fields with the same name (say, dest_ip). This way you can "enter" the lookup only one time. Also, you can configure an automatic lookup for these sourcetypes, so when you search for

sourcetype=asa OR sourcetype=bcoat

automatically you have one new field named Category.
Regards,
Stefano

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...