Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to filter search result using a multi field lookup table?

edhealea
Path Finder
‎04-29-2022 10:32 AM

So, I am trying to use a lookup table spammer.cvs to filter out results from my search but can't get the filtering logic down to make it work completely.
Table
A1Sender, A1Sender_domain, A2Sender, A2Sender_domain, Recipient{}
fred@flintstone.com, ,tinker@sbuggy.com, , ,
 ,*@bbunny.com,mmouse@wd.com, , ,
 ,*@wd.com, ,*@bbunny.com, ,
 , , , ,myemail@me.com

I can get this to work;
{my search}
| search NOT
[ | inputlookup spammer.csv
| fields A1Sender, A2Sender]
| table _time, A1Sender,  A2Sender

How do I code something like;
{my search}
| search NOT
[ | inputlookup spammer.csv
| fields A1Sender, A2Sender
| fields A1Sender_domain, A2Sender
| fields A1Sender_domain, A2Sender_domain
| fields Recipient{}]
| table _time, A1Sender,  A2Sender

Labels (3)
Labels
0 Karma
Reply

edhealea
Path Finder
‎04-29-2022 02:59 PM

If I am following you right, my search without any exclusions will return  the fields A1Sender,  A2Sender, Recipients{} plus some other fields not related to the lookup csv such as user, _time, src_ip ...

The csv contains A1Sender, A1Sender_domain, A2Sender, A2Sender_domain, Recipient{}. The data for each roll is manually added into the csv as they are discovered.  Not every field is filled as in the example below.

A1Sender                        A1Sender_domain       A2Sender                      A2Sender_domain     Recipient{}
fred@flintstone.com                                                 tinker@sbuggy.com                                         
                                           *@bbunny.com,                mmouse@wd.com                                     
                                           *@wd.com,                                                                   *@bbunny.com,
                                                                                                                                                                                   myemail@me.com

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-29-2022 10:43 AM

Please can you clarify what fields you want to use from the lookup table and which fields in your search you want them compared to?

0 Karma
Reply

edhealea
Path Finder
‎04-29-2022 11:04 AM

A1Sender,  A2Sender and Recipients{} are fields within the events.
I am looking to exclude anything in the lookup table from the results found in {mysearch}

If fields A1Sender, A2Sender contain values then omit them from the results.  This works in the first example but getting the rest to work have been difficult.

If field Recipient{}] contain values then omit them from the results. 

If field A1Sender_domain, A2Sender  convert A1Sender_domain into A1Sender and use A2Sender to omit from results
If field A1Sender_domain, A2Sender_domain same as above by A2Sender_domain will be A2Sender.

Did that answer your question?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-29-2022 01:48 PM

Which fields do you have in your lookup and which fields do you have returned by your event search?

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top