Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to exclude a lookup from a tstats in subsearch?

innoce
Path Finder
‎07-04-2023 09:38 PM

Hi,

I have list of domains in a lookup and I need to exclude it from my query

 

| tstats summariesonly=true allow_old_summaries=false dc("DNS.query") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" by "DNS.src","DNS.query" index sourcetype 
| rename "DNS.src" as src "DNS.query" as message index as orig_index sourcetype as orig_sourcetype 
| eval length=len(message) 
| stats sum(length) as length by src message orig_index orig_sourcetype 
| append 
    [ tstats summariesonly=true allow_old_summaries=false dc("DNS.answer") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" by "DNS.src","DNS.answer" index sourcetype 
    | rename "DNS.src" as src "DNS.answer" as message index as orig_index sourcetype as orig_sourcetype 
    | eval message=if(message=="unknown","", message) 
    | eval length=len(message) 
    | stats sum(length) as length by src message orig_index orig_sourcetype] 
| dedup src 
| stats sum(length) as length by message src orig_index orig_sourcetype

 

Now I have to exclude the domains lookup from both my tstats.. I tried this but not seeing any results.. First part works fine but not the second one.. 

 

| tstats summariesonly=true allow_old_summaries=false dc("DNS.query") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" NOT 
    [| inputlookup domainslist
    | fields domains 
    | rename domains as DNS.query 
    | format] by "DNS.src","DNS.query" index sourcetype 
| rename "DNS.src" as src "DNS.query" as message index as orig_index sourcetype as orig_sourcetype 
| eval length=len(message) 
| stats sum(length) as length by src message orig_index orig_sourcetype 
| append 
    [ tstats summariesonly=true allow_old_summaries=false dc("DNS.answer") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" NOT 
        [| inputlookup domainslist
        | fields domains 
        | rename domains as DNS.answer 
        | format] by "DNS.src","DNS.answer" index sourcetype 
    | rename "DNS.src" as src "DNS.answer" as message index as orig_index sourcetype as orig_sourcetype 
    | eval message=if(message=="unknown","", message) 
    | eval length=len(message) 
    | stats sum(length) as length by src message orig_index orig_sourcetype] 
| dedup src 
| stats sum(length) as length by message src orig_index orig_sourcetype

 

Any suggestions would be appreciated.. thanks!

0 Karma
Reply

MaverickT
Communicator
‎07-04-2023 10:55 PM

I think the catch is not the lookup. It is the data structure. While testing your search I got the results if I put IP address to my domainslist lookup table.

The thing is that "DNS.answer" should be the IP address of the queried domain. Or am I wrong? If you want to search answers then your lookup should also include IP addresses.

Note that in my experience if it is a big lookup file, this method will not work. It returns error and seach does not complete. In that case you have to return everything with tstats and then use lookup + search (or search + inputlookup).

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...