Splunk Enterprise Security

How to leverage multiple lookup tables in a search

jrprez1804
Path Finder

I have two lookup tables:

notablesIp.csv and criticalAsset.csv

notableIP.csv
ip attack
1.1.1.1 Ransomware
1.1.1.2 Malware

CriticalAsset.csv
1.1.1.2
1.1.1.3

Desired results
1.1.1.2 Malware

How would I write a search that would tell me a notable happened on a critical asset?
They share a common field called IP.

1 Solution

13tsavage
Communicator

Try this search:

*| inputlookup notablesIP.csv
| join ip [| inputlookup CriticalAsset.csv ] *

View solution in original post

0 Karma

to4kawa
Ultra Champion
| inputlookup notablesIP.csv 
| inputlookup append=t  CriticalAsset.csv 
| selfjoin ip

I made a mistake. that's enough.

0 Karma

13tsavage
Communicator

I have never been able to get this search to work even though I see multiple references to just this search @to4kawa. What version of splunk are you using? Because in Splunk Enterprise 8.0.1 this search gets an error.

Error in 'inputlookup' command: This command must be the first command of a search.

Which is why I used the join command by the field ip.

0 Karma

to4kawa
Ultra Champion

I needed a sub search. I wonder if join is good this time.

0 Karma

13tsavage
Communicator

Try this search:

*| inputlookup notablesIP.csv
| join ip [| inputlookup CriticalAsset.csv ] *

0 Karma

jrprez1804
Path Finder

this is perfect also I added the lookup to the kv store so now it is
| inputlookup notableIP | join ip [| inputlookup CriticalAsset]
We are using Splunk ver 7.2

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...