I have a field named HASH which contains hash values and I would like to compare it to md5 and sha256 (name of the other 2 fields) in another index. I am trying to compare in Automatic Lookups, and the input fields in the automatic lookups have the HASH field name as my input value to compare against md5 and sha256.
Any suggestions ?
eval based calculated field http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/definecalcfields for the sourcetype of the events that contain the
sha256 fields. The eval you could use for the calculated field could be this:
EVAL-HASH = coalesce(HASH, md5, sha256)
eval will either use the value of
sha256 for the calculated field called
HASH. Apply the automatic lookup on the field
HASH and should provide the result.
Hope this helps ...
If the calculated field approach is not doable for you try this search:
your base search here to get md5 OR sha256 | eval HASH = coalesce(HASH, md5, sha256) | lookup YourLookupNameHere HASH | do more ....
I am not sure if I followed you.
Again, I have a .csv file with columns HASH, allowordeny, hash_type as lookup input and I am comparing HASH in the .csv file with another datasource which has data fields as md5 and sha256. I cannot use automatic lookup, since I am trying to accomplish one(HASH) to many comparision(md5 and sha256) . is this is do able? any other solution that would work?
your base search here to get md5 OR sha256
| eval HASH = coalesce(HASH, md5, sha256)
| lookup YourLookupNameHere HASH | do more ....
I am using md5 and sha256 as one of the comparing field in the automatic lookup
so my automatic lookup looks like
hash = sha256
hash = md5
Output all "allow" and "deny" if satisfy the equation