Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to include additional field from inputlook...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sonicZ
Contributor
09-19-2012
05:16 PM
Currently i am populating my summary index with a list of malware listed ips with
index=blah OR index=blah2 OR index=blah3 NOT uri="/dot_clear.gif" [ | inputlookup watchlist_ip_lookup
| rename watch_ip as clientip | fields + clientip ]
| dedup clientip
| lookup ga ip as clientip
| table date_month, date_mday, date_hour, date_minute, date_year, clientip, country, org, status, referer, uri, host, source, sourcetype, index, other
the inputlookup watchlist_ip_lookup.csv file has two columns, the watch_type is optional as sometimes it's blank
watch_ip, watch_type
2.187.19.0, C2
49.244.116.184,
46.63.167.216, C2
.... etc
How would i include the watch_type field in all the results for my summary index?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
09-19-2012
10:07 PM
Will this work?
index=blah OR index=blah2 OR index=blah3 NOT uri="/dot_clear.gif" [ | inputlookup watchlist_ip_lookup
| rename watch_ip as clientip | fields + clientip ]
| dedup clientip
| lookup ga ip as clientip
| lookup watchlist_ip_lookup watch_ip as clientip OUTPUT watch_type
| table date_month, date_mday, date_hour, date_minute, date_year, clientip, country, org, status, referer, uri, host, source, sourcetype, index, other, watch_type
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
09-19-2012
10:07 PM
Will this work?
index=blah OR index=blah2 OR index=blah3 NOT uri="/dot_clear.gif" [ | inputlookup watchlist_ip_lookup
| rename watch_ip as clientip | fields + clientip ]
| dedup clientip
| lookup ga ip as clientip
| lookup watchlist_ip_lookup watch_ip as clientip OUTPUT watch_type
| table date_month, date_mday, date_hour, date_minute, date_year, clientip, country, org, status, referer, uri, host, source, sourcetype, index, other, watch_type
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sadkha
Path Finder
08-21-2014
03:44 PM
I have a similar issue however I'm using a dnslookup. I've tried a few variations however, i can't seem to get the dnslookup result to appear on the table.
index=xxx sourcetype="WinEventLog:Security" "EventCode=644" OR "EventCode=4740"
| eval Win2K8_acc= mvindex(Account_Name,1)
| eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name)
| dnslookup forward ComputerName Client_Address
| table account_domain account_name ComputerName Caller_Computer_Name Client_Address
In the above example, the "Client_Address" field is ooming up blank. Any ideas? thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
10-03-2016
06:53 PM
@sadkha - the syntax is wrong for your lookup in the fourth line. Here is a link to the lookup command. So I think that what you want might be:
| lookup dnslookup clientip as Client_Address OUTPUT clienthost as ComputerName
But I am not sure that I know what your field names are...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
santhosh2kece
Engager
05-06-2014
03:49 AM
I was looking for a similar output and the above search worked. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sonicZ
Contributor
09-20-2012
09:05 AM
Awesome thanks Lisa, that outer lookup was the trick. Its pulling up the extra field from the lookup now.
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
May 2026 Splunk Expert Sessions: Security & Observability
Level Up Your Operations: May 2026 Splunk Expert Sessions
Whether you are refining your security posture or ...
Network to App: Observability Unlocked [May & June Series]
In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...
