Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Query using multiple lookups

hl
Path Finder
‎02-04-2026 05:55 AM

Hello, 

   Looking for a way to query network traffic and search for IP's that have remote connection software i.e. ms-rdp and compare those ip's to the CrrowdStrike_lookup and print out the nt_host of the user and dns of the user.  Everything works expect the CrowdStrike lookup. 

| tstats `security_content_summariesonly` count min(_time)
as firstTime max(_time) as lastTime  values(All_Traffic.dest_port)
as dest_port latest(All_Traffic.user) as user from datamodel=Network_Traffic
where sourcetype="pan:*" All_Traffic.action="allowed"
by All_Traffic.action All_Traffic.app All_Traffic.bytes
All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.src_port
All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port
All_Traffic.dvc All_Traffic.protocol All_Traffic.protocol_version
All_Traffic.src All_Traffic.src_ip  All_Traffic.transport All_Traffic.user
All_Traffic.signature
All_Traffic.vendor_product
| `drop_dm_object_name("All_Traffic")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| lookup remote_access_software remote_appid AS app OUTPUT
isutility, description as signature, comment_reference as
desc, category
| lookup CrowdStrike_asset_lookup nt_host AS src OUTPUT dns as ip
| search isutility = True
| `remote_access_software_usage_exceptions`
| `detect_remote_access_software_usage_traffic_filter`

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hl
Path Finder
‎02-04-2026 08:51 AM

I figured it out now , 

`|lookup CrowdStrike_asset_lookup ip AS src_ip OUTPUT nt_host, dns`

View solution in original post

Reply
Solved! Jump to solution
Solution

hl
Path Finder
‎02-04-2026 08:51 AM

I figured it out now , 

`|lookup CrowdStrike_asset_lookup ip AS src_ip OUTPUT nt_host, dns`

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-04-2026 07:45 AM

What is not working as expected regarding the Crowdstrike lookup?

Verify the src field exists in the results when the lookup is performed.  Also, verify the lookup table has an nt_host field.  Confirm both fields use the same format, including case (unless the lookup is defined as case-insensitive).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...