Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to filter search result using a multi field lookup table?

edhealea
Path Finder
‎04-29-2022 10:32 AM

So, I am trying to use a lookup table spammer.cvs to filter out results from my search but can't get the filtering logic down to make it work completely.
Table
A1Sender, A1Sender_domain, A2Sender, A2Sender_domain, Recipient{}
fred@flintstone.com, ,tinker@sbuggy.com, , ,
 ,*@bbunny.com,mmouse@wd.com, , ,
 ,*@wd.com, ,*@bbunny.com, ,
 , , , ,myemail@me.com

I can get this to work;
{my search}
| search NOT
[ | inputlookup spammer.csv
| fields A1Sender, A2Sender]
| table _time, A1Sender,  A2Sender

How do I code something like;
{my search}
| search NOT
[ | inputlookup spammer.csv
| fields A1Sender, A2Sender
| fields A1Sender_domain, A2Sender
| fields A1Sender_domain, A2Sender_domain
| fields Recipient{}]
| table _time, A1Sender,  A2Sender

Labels (3)
Labels
0 Karma
Reply

edhealea
Path Finder
‎04-29-2022 02:59 PM

If I am following you right, my search without any exclusions will return  the fields A1Sender,  A2Sender, Recipients{} plus some other fields not related to the lookup csv such as user, _time, src_ip ...

The csv contains A1Sender, A1Sender_domain, A2Sender, A2Sender_domain, Recipient{}. The data for each roll is manually added into the csv as they are discovered.  Not every field is filled as in the example below.

A1Sender                        A1Sender_domain       A2Sender                      A2Sender_domain     Recipient{}
fred@flintstone.com                                                 tinker@sbuggy.com                                         
                                           *@bbunny.com,                mmouse@wd.com                                     
                                           *@wd.com,                                                                   *@bbunny.com,
                                                                                                                                                                                   myemail@me.com

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-29-2022 10:43 AM

Please can you clarify what fields you want to use from the lookup table and which fields in your search you want them compared to?

0 Karma
Reply

edhealea
Path Finder
‎04-29-2022 11:04 AM

A1Sender,  A2Sender and Recipients{} are fields within the events.
I am looking to exclude anything in the lookup table from the results found in {mysearch}

If fields A1Sender, A2Sender contain values then omit them from the results.  This works in the first example but getting the rest to work have been difficult.

If field Recipient{}] contain values then omit them from the results. 

If field A1Sender_domain, A2Sender  convert A1Sender_domain into A1Sender and use A2Sender to omit from results
If field A1Sender_domain, A2Sender_domain same as above by A2Sender_domain will be A2Sender.

Did that answer your question?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-29-2022 01:48 PM

Which fields do you have in your lookup and which fields do you have returned by your event search?

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...