I have a search that leverages a kvstore lookup that takes the src IP and then checks the lookup to see what core, content, and zone the IP is associated with:
| lookup zone_lookup cidr_range as src
| fillnull value=NULL
| search context!="" core!="" zone!=""
| eval core=coalesce(core,"null")
| eval context=coalesce(context,"null")
| eval zone=coalesce(zone,"null")
Unfortunately, we do not have a ROA for this info so we have populated the kvstore lookup from various sources as best we can, but sometimes we'll see src IPs with no zone listed. I do have a table I keep that allows me to fill in those blanks and it's a simple table as follows:
cidr_range zone
x.x.x.x/16 zone1
y.y.y.y/24 zone2
z.z.z.z/24 zone3
I'd like to create a search that appends my lookup with this data - how would I write that search?
Thx
Once you upload your spreadsheet as a lookup csv, you can access it in a search. Here's how you can write the search to update the kvstore.
Assuming that the fieldnames are cidr_range and zone:
| inputlookup spreadsheet_data.csv
| lookup zone_lookup cidr_range OUTPUT zone AS zone2
| search NOT zone2=*
| table cidr_range zone
Once you've validated the results, you can update the kvstore by adding the following line to the end of the search.
| outputlookup zone_lookup append=true
Few questions:
I do have a table I keep that allows me to fill.....
By table do you mean index or lookup?
I'd like to create a search that appends my lookup with this data
By append, did you mean 1. you want this data to enrich the current search, or 2. you want to append to the kvstore lookup as new rows, or 3. you want to update the existing kvstore null records?
Great questions and allow me to clarify:
For example, I see src IPs that have no zone associated with them because that data is not in the kvstore, but in my spreadsheet so I'd like to append that data so it's in the kvstore/lookup
Hope this helps
Thx
Once you upload your spreadsheet as a lookup csv, you can access it in a search. Here's how you can write the search to update the kvstore.
Assuming that the fieldnames are cidr_range and zone:
| inputlookup spreadsheet_data.csv
| lookup zone_lookup cidr_range OUTPUT zone AS zone2
| search NOT zone2=*
| table cidr_range zone
Once you've validated the results, you can update the kvstore by adding the following line to the end of the search.
| outputlookup zone_lookup append=true
Thx for the solution!