Outputting the same field for two automatic lookup...

ejwade · ‎04-06-2023

I am trying to perform an automatic lookup on IP field against two lookup definitions/tables. One is a list of IPs with their department, and another is a list of networks with their department (with CIDR match configured). I would like the two automatic lookups to use the following logic.

- If there is match on the IP list, use the department from that IP record.
- Else if there is a CIDR match on the network list, use the departmnet from that network record.
- Else if there are no matches from either, do nothing (default behavior).

Here's an example of the lookup text for each

- ip_list ip OUTPUT(NEW) dept AS ip_dept
- network_list network AS ip OUTPUT(NEW) dept AS ip_dept

I tried doing OUTPUT on the ip_list, and OUTPUTNEW on the network_list, but that excludes network lookups. I tried doing OUTPUTNEW on both, hoping for an alphabetical order of operations, but that doesn't seem to be working either.

Any ideas would be appreciated - thank you!

woodcock · ‎04-06-2023

I am assuming that you don't *really* mean "automatic" lookup. If so, just use this SPL in your search:

...
| lookup ip_list ip OUTPUT dept AS ip_dept
| lookup network_list network AS ip OUTPUTNEW dept AS ip_dept

ejwade · ‎04-06-2023

Thank you for responding @woodcock! I was hoping you'd see this.

I am trying to do this in an automatic lookup. I've been doing this in SPL, but I'd rather use automatic lookups to find the department for IPs in my logs. My ultimate plan is to put these lookup outputted fields into our data models.

The problem - not all IPs are in the IP inventory, and I want to use the network inventory when that happens.

Outputting the same field for two automatic lookups

lookup

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!