Splunk Search

How to filter search result using a multi field lookup table?

edhealea
Path Finder

So, I am trying to use a lookup table spammer.cvs to filter out results from my search but can't get the filtering logic down to make it work completely.
Table
A1Sender, A1Sender_domain, A2Sender, A2Sender_domain, Recipient{}
fred@flintstone.com, ,tinker@sbuggy.com, , ,
 ,*@bbunny.com,mmouse@wd.com, , ,
 ,*@wd.com, ,*@bbunny.com, ,
 , , , ,myemail@me.com

I can get this to work;
{my search}
| search NOT
[ | inputlookup spammer.csv
| fields A1Sender, A2Sender]
| table _time, A1Sender,  A2Sender

How do I code something like;
{my search}
| search NOT
[ | inputlookup spammer.csv
| fields A1Sender, A2Sender
| fields A1Sender_domain, A2Sender
| fields A1Sender_domain, A2Sender_domain
| fields Recipient{}]
| table _time, A1Sender,  A2Sender

Labels (3)
0 Karma

edhealea
Path Finder

If I am following you right, my search without any exclusions will return  the fields A1Sender,  A2Sender, Recipients{} plus some other fields not related to the lookup csv such as user, _time, src_ip ...

The csv contains A1Sender, A1Sender_domain, A2Sender, A2Sender_domain, Recipient{}. The data for each roll is manually added into the csv as they are discovered.  Not every field is filled as in the example below.

A1Sender                        A1Sender_domain       A2Sender                      A2Sender_domain     Recipient{}
fred@flintstone.com                                                 tinker@sbuggy.com                                         
                                           *@bbunny.com,                mmouse@wd.com                                     
                                           *@wd.com,                                                                   *@bbunny.com,
                                                                                                                                                                                   myemail@me.com

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please can you clarify what fields you want to use from the lookup table and which fields in your search you want them compared to?

0 Karma

edhealea
Path Finder

A1Sender,  A2Sender and Recipients{} are fields within the events.
I am looking to exclude anything in the lookup table from the results found in {mysearch}

If fields A1Sender, A2Sender contain values then omit them from the results.  This works in the first example but getting the rest to work have been difficult.

If field Recipient{}] contain values then omit them from the results. 

If field A1Sender_domain, A2Sender  convert A1Sender_domain into A1Sender and use A2Sender to omit from results
If field A1Sender_domain, A2Sender_domain same as above by A2Sender_domain will be A2Sender.

Did that answer your question?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Which fields do you have in your lookup and which fields do you have returned by your event search?

0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...