Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to correlate lookup table fields with index fields?

x3ncrypt
Loves-to-Learn Everything
‎01-08-2023 08:01 PM

There is a lookup table with a row called 'ip' containing multiple ip address values which I would like to correlate with firewall traffic in the 'netfw' index, 'src_ip' and 'dest_ip' fields.

Labels (2)
Labels
Tags (2)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎01-08-2023 08:18 PM

You need to clarify the question.  First, do you mean the table contains a column called 'ip'?  Second, what other column(s) is/are in that lookup; specifically, what other column is relevant to your question?

If you just want to output all other columns based on src_ip and don't remember the correct syntax, you can just look at the first example in lookup.  For example,

| lookup mylookuptable ip AS src_ip

Similarly you can construct the lookup if you want to match dest_ip.  But if you have some special logic that requires lookups with both src_ip and dest_ip, you can either work out yourself, of you'll have to provide a lot more details about your logic, your data, and desired output.

0 Karma
Reply

x3ncrypt
Loves-to-Learn Everything
‎01-08-2023 08:20 PM

I want to correlate values from the column 'ip' in a .csv lookup table with 'src_ip' and 'dest_ip' field values in 'netfw' index.

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎01-08-2023 08:40 PM

This is just a repetition of the original text.  Since both times, you say 'src_ip' and 'dest_ip'.  I already provided the method to match one of these values if you don't want to explain other columns in the CSV because the default is to output all other columns.  But if you need to match both columns, you must provide some logic as to how the output should be handled.  What other columns are in the CSV?  Specifically, what other column you want to lookup with src_ip and dest_ip.

0 Karma
Reply

x3ncrypt
Loves-to-Learn Everything
‎01-08-2023 08:44 PM

Your query did not work. As mentioned, there is only one column I want to correlate, which is 'ip', with the 'src_ip' and 'dest_ip' fields in the 'netfw' index. The other columns of the table are not relevant to the correlation as they do not provide ip address values.

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎01-08-2023 08:51 PM

What you mean is that you want to test whether src_ip and/or dest_ip is present in the table.  Is this correct?  The best way to use a lookup is to have another column or more other columns that you want to correlate to.  But if you don't want correlation and just want to test presence, you can potentially use inputlookup in a subsearch.

index = 'netfw' [
  | inputlookup mylookup
  | eval src_ip = ip
  | rename ip AS dest_ip]

This will output only if BOTH src_ip AND dest_ip are in netfw.

0 Karma
Reply

x3ncrypt
Loves-to-Learn Everything
‎01-08-2023 10:59 PM

That did not work.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top