Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Index to lookup match IP address- Why is "target_ip" not showing up on table?

ATEsiveL
Observer
‎09-01-2022 12:35 PM

Hello all, Hoping someone may be able to help. I have an internal tool I have an export from in the from of a CSV that has a column named ip. I uploaded this as a inputlookup (name.csv). I verifed I can see the ip information by |inputlookup (name.csv) and the rows of IP addresses show.

I have a base search that returns data , and I want to see if any of the src, or dest IP's from my search match the IP addresses listed in my name.csv. I keep running into a search, that returns a few thousand events, although I can search the event between src, and dest and it shows without the lookup.

Currently my search looks like this:

(index=name1 OR index=name2 OR index=name3) src_ip_country=United States action=allowed

| stats count by  src, dest

| sort count

| reverse

| lookup name.csv ip OUTPUT target_ip

| table target_ip, src, dest

 

This search provides me a tabled output with src, and dest fields populated, but nothing in the "target_ip" field.  Any ideas? Thank you.

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-02-2022 01:21 PM

I guess I should have been more explicit in my first reply. Since the lookup commands are returning target_ip as src_target_ip or dest_target_ip there no longer is a target_ip field for the table command to display.

Also, the count is not displayed because the table command did not specify it.  That's not related to the lookups.

(index=name1 OR index=name2 OR index=name3) src_ip_country=United States action=allowed
| stats count by  src, dest
| sort - count
| lookup name.csv ip AS src OUTPUT target_ip AS src_target_ip
| lookup name.csv ip AS dest OUTPUT target_ip AS dest_target_ip
| table src_target_ip, src, dest_target_ip, dest, count

BTW, there's no need for reverse after sort if you sort in descending order.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ATEsiveL
Observer
‎09-02-2022 04:35 AM

Thank you for the response. I made this modification this morning, and am still having the same results. No data from the lookup being placed in the target_ip field to determine if there was a match. There may be a better method of trying to match this data, this is just what I had came up with originally. Also, after I added the lookup I am no longer getting the stats count on the right side, or the sort.  Sorry if this is an easy question, I am new to lookup matching. Thank you.

(index=name1 OR index=name2 OR index=name3) src_ip_country=United States action=allowed
| stats count by  src, dest
| sort count
| reverse
| lookup name.csv ip AS src OUTPUT target_ip AS src_target_ip
| lookup name.csv ip AS dest OUTPUT target_ip AS dest_target_ip
| table target_ip, src, dest

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-01-2022 01:10 PM

The lookup is failing because there is no 'ip' field in the indexed data to look up.  Use the as option to tell lookup where to find the field.

| lookup name.csv ip as src OUTPUT target_ip as src_target_ip
| lookup name.csv ip as dest OUTPUT target_ip as dest_target_ip

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...