Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Appending lookup fields into search

weetabixsplunk
Explorer
‎05-26-2022 11:22 AM

Hi guys,

 

I'm a splunk noob here and I'm going nuts. I know this is an extremely simple search and I can't get it right.
I'm trying to create a search for remote access applications based on our firewall index.

IP cidr will be pulled from a lookup file (network_assets.csv) and matching to the source ip from my events. There's fields from the lookup file that do not exist in the events. I'm particullarly interested in adding this field called usertags (which is included in the lookup). 

I am using these links as a reference and I can't get it to work.
https://community.splunk.com/t5/Splunk-Search/How-do-I-append-columns-to-a-search-via-inputlookup-wh...

index=fw
| search appcat=Remote.Access
| search app!="RDP" AND app!="WMI.DCERPC"
| lookup network_assets.csv cidr
| eval cidr=src
| search usertags="*server*"
| table src dest app url appcat usertags



My search currently does not give me any results. Any help would be much appreciated

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-26-2022 12:02 PM

It would help to see a sample event or two and a sample row or two from the lookup file. 

It would help immensely if you explained what is meant by "can't get it to work".  What results do you get and how do they not meet expectation?

If the lookup file contains CIDR addresses and the index does not then a lookup definition should be created so you can enable CIDR lookups.  If that's the case then let us know so we can go into detail on that.

FTR, search performance can be improved by moving the search commands into the base search.

index=fw appcat=Remote.Access app!="RDP" app!="WMI.DCERPC"
| lookup network_assets.csv cidr
| eval cidr=src
| search usertags="*server*"
| table src dest app url appcat usertags
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

pbarbuto
Path Finder
‎05-26-2022 12:18 PM

try "| lookup network_assets.csv OUTPUT cidr AS src"

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-26-2022 12:02 PM

It would help to see a sample event or two and a sample row or two from the lookup file. 

It would help immensely if you explained what is meant by "can't get it to work".  What results do you get and how do they not meet expectation?

If the lookup file contains CIDR addresses and the index does not then a lookup definition should be created so you can enable CIDR lookups.  If that's the case then let us know so we can go into detail on that.

FTR, search performance can be improved by moving the search commands into the base search.

index=fw appcat=Remote.Access app!="RDP" app!="WMI.DCERPC"
| lookup network_assets.csv cidr
| eval cidr=src
| search usertags="*server*"
| table src dest app url appcat usertags
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

weetabixsplunk
Explorer
‎05-26-2022 01:17 PM

Idiot me was doing it all wrong and that answer definitely helped! Thank you!! ❤️

0 Karma
Reply
Solved! Jump to solution

weetabixsplunk
Explorer
‎05-26-2022 12:14 PM

Thank you so much for responding ❤️

This is what a sample of the lookup would look like  

cidr description AssetId name netNamespace networkId   usertags

10.20.16.0/23London(AD)aaaa-cucuc-5460-9e-98888AD-assetsdefault  Wired|Server
10.10.34.0/24Cancunbb0cuc-9181-51-8957-833357f2a1Virtualizationdefault  Wired|Server

I get a "No results found". I know the search itself does give me results if I input a particular IP address as source, as I know that there's been remote access applications running on server.

0 Karma
Reply
Solved! Jump to solution

weetabixsplunk
Explorer
‎05-26-2022 12:18 PM

I get a "No results found". I know the search itself does give me results if I input a particular IP address as source, as I know that there's been remote access applications running on server.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-26-2022 11:37 AM

Have you set up advanced options for the lookup, specifically CIDR as the match type?

Define a CSV lookup in Splunk Web - Splunk Documentation

Also, you possibly want to change the lookup to this

| lookup network_assets.csv cidr AS src
0 Karma
Reply
Solved! Jump to solution

weetabixsplunk
Explorer
‎05-26-2022 01:18 PM

thank you!!!!!!!!!!!!! 🙂

0 Karma
Reply
Solved! Jump to solution

pbarbuto
Path Finder
‎05-26-2022 11:31 AM

Are you sure that there is a column called cidr in your lookup? If you just run the following what do you see?

| inputlookup network_assets.csv

Reply
Solved! Jump to solution

weetabixsplunk
Explorer
‎05-26-2022 11:37 AM

I see the lookup itself with the following fields:

cidr description AssetId name Namespace networkId tags usertags

0 Karma
Reply
Solved! Jump to solution

SinghK
Builder
‎05-26-2022 11:30 AM

try this

index=fw
| search appcat=Remote.Access
| search app!="RDP" AND app!="WMI.DCERPC"
| lookup network_assets.csv cidr OUTPUT src
| search usertags="*server*"
| table src dest app url appcat usertags

0 Karma
Reply
Solved! Jump to solution

weetabixsplunk
Explorer
‎05-26-2022 11:40 AM

I get a Error in 'lookup' command: Cannot find the destination field 'src' in the lookup table 'network_assets.csv'.

0 Karma
Reply
Get Updates on the Splunk Community!

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting

Splunk is excited to announce new releases that empower ITOps and engineering teams to stay ahead in ever ...
Top