Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to filter search result using a multi field lookup table?

edhealea
Path Finder
‎04-29-2022 10:32 AM

So, I am trying to use a lookup table spammer.cvs to filter out results from my search but can't get the filtering logic down to make it work completely.
Table
A1Sender, A1Sender_domain, A2Sender, A2Sender_domain, Recipient{}
fred@flintstone.com, ,tinker@sbuggy.com, , ,
 ,*@bbunny.com,mmouse@wd.com, , ,
 ,*@wd.com, ,*@bbunny.com, ,
 , , , ,myemail@me.com

I can get this to work;
{my search}
| search NOT
[ | inputlookup spammer.csv
| fields A1Sender, A2Sender]
| table _time, A1Sender,  A2Sender

How do I code something like;
{my search}
| search NOT
[ | inputlookup spammer.csv
| fields A1Sender, A2Sender
| fields A1Sender_domain, A2Sender
| fields A1Sender_domain, A2Sender_domain
| fields Recipient{}]
| table _time, A1Sender,  A2Sender

Labels (3)
Labels
0 Karma
Reply

edhealea
Path Finder
‎04-29-2022 02:59 PM

If I am following you right, my search without any exclusions will return  the fields A1Sender,  A2Sender, Recipients{} plus some other fields not related to the lookup csv such as user, _time, src_ip ...

The csv contains A1Sender, A1Sender_domain, A2Sender, A2Sender_domain, Recipient{}. The data for each roll is manually added into the csv as they are discovered.  Not every field is filled as in the example below.

A1Sender                        A1Sender_domain       A2Sender                      A2Sender_domain     Recipient{}
fred@flintstone.com                                                 tinker@sbuggy.com                                         
                                           *@bbunny.com,                mmouse@wd.com                                     
                                           *@wd.com,                                                                   *@bbunny.com,
                                                                                                                                                                                   myemail@me.com

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-29-2022 10:43 AM

Please can you clarify what fields you want to use from the lookup table and which fields in your search you want them compared to?

0 Karma
Reply

edhealea
Path Finder
‎04-29-2022 11:04 AM

A1Sender,  A2Sender and Recipients{} are fields within the events.
I am looking to exclude anything in the lookup table from the results found in {mysearch}

If fields A1Sender, A2Sender contain values then omit them from the results.  This works in the first example but getting the rest to work have been difficult.

If field Recipient{}] contain values then omit them from the results. 

If field A1Sender_domain, A2Sender  convert A1Sender_domain into A1Sender and use A2Sender to omit from results
If field A1Sender_domain, A2Sender_domain same as above by A2Sender_domain will be A2Sender.

Did that answer your question?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-29-2022 01:48 PM

Which fields do you have in your lookup and which fields do you have returned by your event search?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
Top