How do you use the lookup value as a variable?

lozarich007 · ‎01-12-2019

Hi,

I have the following lookup, which is basically a mapping lookup:
lookup name: "scoring_rules"

source , field_to_use , aggregated_risk_layer
"many FW alerts",src,L1
"virus found", dest,L1
"direct ssh connection",target_ip,L1

i have the following rows under index=notable and I want to get the marked field according to the lookup mapping:

 search_name="many FW alerts" src=**10.0.0.1** dest=10.0.0.2 target_ip=192.168.0.121  action=allow
 search_name="virus found" src=10.0.0.1 dest=**10.0.0.2** target_ip=192.168.0.121  action=allow
 search_name="direct ssh connection" src=10.0.0.1 dest=10.0.0.2 target_ip=**192.168.0.121**  action=allow

Now, I want the lookup value to be the variable to assign the value from the _raw with the relevant mapped field. something like that:

index=notable search_name=*
| lookup local=true search_name source as search_name 
| eval src=field_to_use.value_from_lookup_to_be_the_var

henriquelinsmey · ‎03-19-2020

Hi lozarich007,
Have you worked out the solution for your case? I have the same scenario here and looking for assistance.

martin_mueller · ‎01-13-2019

You can cheat using foreach:

base search OR'ing all thse variations
| lookup search_name source as search_name
| foreach src dest target_ip and all other fields your lookup can refer to, or * if you want to be lazy
  [eval output = if(field_to_use="<<FIELD>>", '<<FIELD>>', output)]
| do stuff with the output field

How do you use the lookup value as a variable?

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Enterprise Security Content Update (ESCU) | New Releases