Using a lookup to search another lookup

jwhughes58 · ‎11-07-2023

I have two lookups. One consists of the allowed URLs. The other consists of the URLs from a firewall. For example in the first

google.com
dummy.com

In the second

site1.google.com
site2.google.com

The first lookup is ingested from a file sent by the FW team. I create the second lookup with this search

index=my_firewall sourcetype=my_sourcetype (rule=rule_1 OR rule=rule_2 OR rule=rule_3) [ | inputlookup external_url.csv ]
| fields url
| dedup url
| table url
| outputlookup external_results.csv

This gives me the sites that have been reached over the time period. Next I use this search

| inputlookup external_url.csv
| lookup external_results.csv url OUTPUTNEW url as isFound

I think this is giving me what I want, but I can't view the output the way I want. I would like to see

allowed_url   fw_url   isFound

Using the sample data

google.com   site_1.google.com   true
google.com   site_2.google.com   true
dummy.com                        false

TIA,

Joe

richgalloway · ‎11-07-2023

With a little massaging of fields, we can get you the desired output.

| inputlookup external_url.csv
| lookup external_results.csv allowed_url as url OUTPUTNEW url as isFound
| eval fw_url=isFound, isFound=if(isnull(isFound),"false", "true")
| table allowed_url fw_url isFound

---
If this reply helps you, Karma would be appreciated.

Using a lookup to search another lookup

using Splunk Enterprise

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?