Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Compare entire lookup table to another

splunk219783
Path Finder
‎08-25-2023 07:16 AM

I thought this would be easy but i'm struggling.  I have a CSV of firewall rules from yesterday, and a CSV of Firewall rules from today.  They're being ingested into splunk but i figured the easiest way to compare the two would be to make them lookup tables.  But I can't figure how to compare ALL values?  This is to audit for any changes.   The Data is kind of like this:

Yesterdays Rules:

NameActionSrcIpDestIpPort
WebServerAllow192.168.1.2192.168.0.380
ApplicationDeny192.168.1.10192.168.0.111020
OutboundAllow192.168.0.0/24*80

 

Todays Rules

NameActionSrcIpDestIpPort 
WebServerAllow192.168.1.2192.168.0.3,192.168.0.480 
ApplicationDeny192.168.1.10192.168.0.111020 
OutboundAllow192.168.0.0/24*80 

 

In the example the Webserver can now access an additional server.  But in reality any value could change and I need to alert on it. I basically just want to do a diff.  A little surprised its difficult to do in splunk.

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-25-2023 10:20 AM

Hi @splunk219783,

you have to use stats, please try something like this:

| inputlookup yesterday_rules.csv
| eval lookup_name="yesterday_rules.csv"
| append [ | | inputlookup today_rules.csv | eval lookup_name="today_rules.csv" ]
| stats 
   dc(lookup_name) AS lookup_name_count 
   values(lookup_name) AS lookup_name
   BY Name Action SrcIp DestIp Port
| where lookup_name_count=1
| table Name Action SrcIp DestIp Port lookup_name

in this way you have all the differences.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...