Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I get a Splunk conditional lookup command to match only specific values?

SplunkNewbie18
New Member
‎12-04-2018 07:39 AM

Hi,

My search is based on 3 sources (firewall log, ioc feed macro and lookup table for ioc). To check for any match on ioc for the destip field.

index=firewall
| search [<macro>
| table destip
| format]
| lookup <lookup table> srcip as destip OUTPUT columnA as A
| lookup <lookup table> srcip as destip OUTPUT columnB as B
| table _time, destip, A, B

However, 1 ioc can have multiple row of data in the for column B:

destip-B
1.1.1.1-high  
1.1.1.1-low

Hence, the result of the above SPL will give me:

_time-destip-A-B
<time>-1.1.1.1-<output A>-high low

How do i include a condition to only lookup and match the ioc for only "high" events in column B in the lookup table, to be as below ouput?

_time-destip-A-B
<time>-1.1.1.1-<output A>-high
Tags (4)
0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎12-04-2018 08:19 AM

I'll be the first to say this.. Your query is going to be painfully slow and will not scale, especially with firewall logs.

Instead, you should lump all 3 sources together like this 

(index=firewall sourcetype=...) OR (index=...) 
| stats count by srcip
| lookup

Also, rather than using table, you should use a stats before the lookup for better performance

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...