Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I use the data from lookup table column as search on live index?

socks
Loves-to-Learn Lots
‎03-10-2022 03:01 PM

I just built my first lookup table, because I have a csv of about 200 servers with the in different ip spaces and I need to perform 2 things . 1. confirm the ip's in the csv's are in splunk and 2. display per ip what ports are listening.

So my query has been this 

index=* |stats count by src_ip , dest_port [|inputlookup networkservers.csv | fields "IPv4 Address" | rename "IPv4 Address " as query



I have confirmed the lookup table is there and I can see it , and I can query the network, im just having issues with ingesting the 200+ ips as search items and then marrying the ports and prots with it . thanks in advance if this makes sense or am i looking at it all wrong ?

Labels (4)
Labels
Tags (1)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎03-11-2022 01:08 AM

I think what you mean to do is

index=* [|inputlookup networkservers.csv | fields "IPv4 Address" | rename "IPv4 Address" as src_ip]
| stats count by src_ip, dest_port

 (Note your sample code missed a closing bracket; also the rename command contained  an extra space in quotes.)

0 Karma
Reply

Zhanali
Path Finder
‎03-10-2022 10:38 PM

Hello @socks 

Also, try this

| inputlookup networkservers.csv
| rename "IPv4 Address" as src_ip
| join type=outer src_ip
    [| search index=* src_ip=* dest_port=*
    | stats count by src_ip dest_port]

 

0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎03-10-2022 09:01 PM

Hi @socks 

Can you try with this 

index=*
| lookup networkservers.csv "IPv4 Address" as src_ip OUTPUT src_ip
| stats count by src_ip,dest_port

 

0 Karma
Reply

socks
Loves-to-Learn Lots
‎03-15-2022 07:07 AM

nope this is not working , as the query seems to think the field src_ip is in the lookup table and it is not

 

0 Karma
Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...