How do I use the data from lookup table column as ...

socks · ‎03-10-2022

I just built my first lookup table, because I have a csv of about 200 servers with the in different ip spaces and I need to perform 2 things . 1. confirm the ip's in the csv's are in splunk and 2. display per ip what ports are listening.

So my query has been this

index=* |stats count by src_ip , dest_port [|inputlookup networkservers.csv | fields "IPv4 Address" | rename "IPv4 Address " as query

I have confirmed the lookup table is there and I can see it , and I can query the network, im just having issues with ingesting the 200+ ips as search items and then marrying the ports and prots with it . thanks in advance if this makes sense or am i looking at it all wrong ?

yuanliu · ‎03-11-2022

I think what you mean to do is

index=* [|inputlookup networkservers.csv | fields "IPv4 Address" | rename "IPv4 Address" as src_ip]
| stats count by src_ip, dest_port

(Note your sample code missed a closing bracket; also the rename command contained an extra space in quotes.)

Zhanali · ‎03-10-2022

Hello @socks

Also, try this

| inputlookup networkservers.csv
| rename "IPv4 Address" as src_ip
| join type=outer src_ip
    [| search index=* src_ip=* dest_port=*
    | stats count by src_ip dest_port]

SanjayReddy · ‎03-10-2022

Hi @socks

Can you try with this

index=*
| lookup networkservers.csv "IPv4 Address" as src_ip OUTPUT src_ip
| stats count by src_ip,dest_port

----
Regards,
Sanjay Reddy

----
If this reply helps you, Karma would be appreciated.

socks · ‎03-15-2022

nope this is not working , as the query seems to think the field src_ip is in the lookup table and it is not

How do I use the data from lookup table column as search on live index?

metadata

stats

subsearch

tstats

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023

Security Newsletter Updates | March 2023