Splunk Enterprise

If statement with lookup table

biers04
Explorer

Created a lookup table for Common File locations. I am going to filter these out of results using the lookup table, however there are a few customers we have where certain files are not authorized (despite of real world clean), so I would need to show results for these customers.

Basically, if C:\Program Files (x86)\Mozilla Firefox\Firefox, filtering this out with the lookup table... However, if customer=exampleCustomer, then the result should still display. Is this possible using lookup tables, or do I need to specifically search customer without the lookup.

Tags (1)
0 Karma
1 Solution

cmerriman
Super Champion

i agree with @somesoni2 . if it is something you can add to your base search, i definitely would do it that way.

another way would be something like this:

base search
|join type=left interesting_field [|inputlookup lookupfile.csv|table interesting_field field_names]
|eval keep=if(customer=example_customer OR customer=example_customer_2 OR isnull(interesting_field),1,0)
|search keep=1
|rest of search

View solution in original post

cmerriman
Super Champion

i agree with @somesoni2 . if it is something you can add to your base search, i definitely would do it that way.

another way would be something like this:

base search
|join type=left interesting_field [|inputlookup lookupfile.csv|table interesting_field field_names]
|eval keep=if(customer=example_customer OR customer=example_customer_2 OR isnull(interesting_field),1,0)
|search keep=1
|rest of search

somesoni2
SplunkTrust
SplunkTrust

Is that the only constraint you've for you filter logic or there are many other customer/rules. If that's the only one, you could do something like this

index=foo sourcetype=bar  ( [| inputlookup yourFilterLookup.csv |... table source ]  AND customer!=exampleCustomer) OR (customer=exampleCustomer) ...| rest of the search...

So, the lookup filter will be applied only when customer is not "exampleCustomer". When customer is "exampleCustomer" all results are returned.

biers04
Explorer

There are a lot of customers and rules... Was looking not to have to specifically rule it out, but if that is the only way, I will deal with the cards I've been dealt.

0 Karma

biers04
Explorer

Basically, I want to filter out 50 alerts for first_customer, a completely different set of rules to filter for second_customer, and so on, up to about 25-30 customers. I think it would be much better to do this through one CSV lookup, just unsure how to specify to meet my needs.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...