I have 2 devices: fw and waf. I want to make a lookup, my lookup file is mal_ip that has 4 fields :
mal_ip category product,port 18.104.22.168 mal_ip firewall 443
I want to say where src=mal_ip show category, the Common field is product and port.
My query is :
index=fw OR index=waf [ |inputlookup mal_ip | where src=mal_ip| fields category,mal_ip,product,port]|stats count by src category
But it doesn't match any fields, can you tell me what can I do?
This assumes that your
lookup file is referenced by a
lookup definition called
mal_ip (if not, replace the first
mal_ip value with the correct
lookup definition or
index=fw OR index=waf | lookup mal_ip mal_ip AS src product port OUTPUT category
You're using the lookup in the wrong way to achieve your results. @richgalloway is almost right in his answer:
index=fw OR index=waf | lookup mal_ip mal_ip as src OUTPUT category product port | stats count by src category
However, if you want to match more than src, and you need to check the product and the port as well it would be written as follows:
index=fw OR index=waf
| lookup malip malip as src product as product port as port OUTPUT category
| stats count by src category
This will match against src, product, and port. But product and port have to be extracted/defined before using the
| lookup in that search.
You'll need to make sure that both the lookup table (CSV file) AND the definition are created.
Recall that subsearches run before the main search. Therefore,
|inputlookup mal_ip | where src=mal_ip| fields category,mal_ip,product,port must return results. Since there is no 'src' field, the query will not return any results. Try the following variation:
index=fw OR index=waf | lookup mal_ip as src | fields category,mal_ip |stats count by src category
Make sure the fw and waf indexes are returning events with a field called 'src'. If not, add
eval statements to create such a field.