Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to include additional field from inputlookup i...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sonicZ
Contributor
09-19-2012
05:16 PM
Currently i am populating my summary index with a list of malware listed ips with
index=blah OR index=blah2 OR index=blah3 NOT uri="/dot_clear.gif" [ | inputlookup watchlist_ip_lookup
| rename watch_ip as clientip | fields + clientip ]
| dedup clientip
| lookup ga ip as clientip
| table date_month, date_mday, date_hour, date_minute, date_year, clientip, country, org, status, referer, uri, host, source, sourcetype, index, other
the inputlookup watchlist_ip_lookup.csv file has two columns, the watch_type is optional as sometimes it's blank
watch_ip, watch_type
2.187.19.0, C2
49.244.116.184,
46.63.167.216, C2
.... etc
How would i include the watch_type field in all the results for my summary index?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
09-19-2012
10:07 PM
Will this work?
index=blah OR index=blah2 OR index=blah3 NOT uri="/dot_clear.gif" [ | inputlookup watchlist_ip_lookup
| rename watch_ip as clientip | fields + clientip ]
| dedup clientip
| lookup ga ip as clientip
| lookup watchlist_ip_lookup watch_ip as clientip OUTPUT watch_type
| table date_month, date_mday, date_hour, date_minute, date_year, clientip, country, org, status, referer, uri, host, source, sourcetype, index, other, watch_type
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
09-19-2012
10:07 PM
Will this work?
index=blah OR index=blah2 OR index=blah3 NOT uri="/dot_clear.gif" [ | inputlookup watchlist_ip_lookup
| rename watch_ip as clientip | fields + clientip ]
| dedup clientip
| lookup ga ip as clientip
| lookup watchlist_ip_lookup watch_ip as clientip OUTPUT watch_type
| table date_month, date_mday, date_hour, date_minute, date_year, clientip, country, org, status, referer, uri, host, source, sourcetype, index, other, watch_type
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sadkha
Path Finder
08-21-2014
03:44 PM
I have a similar issue however I'm using a dnslookup. I've tried a few variations however, i can't seem to get the dnslookup result to appear on the table.
index=xxx sourcetype="WinEventLog:Security" "EventCode=644" OR "EventCode=4740"
| eval Win2K8_acc= mvindex(Account_Name,1)
| eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name)
| dnslookup forward ComputerName Client_Address
| table account_domain account_name ComputerName Caller_Computer_Name Client_Address
In the above example, the "Client_Address" field is ooming up blank. Any ideas? thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
10-03-2016
06:53 PM
@sadkha - the syntax is wrong for your lookup in the fourth line. Here is a link to the lookup command. So I think that what you want might be:
| lookup dnslookup clientip as Client_Address OUTPUT clienthost as ComputerName
But I am not sure that I know what your field names are...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
santhosh2kece
Engager
05-06-2014
03:49 AM
I was looking for a similar output and the above search worked. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sonicZ
Contributor
09-20-2012
09:05 AM
Awesome thanks Lisa, that outer lookup was the trick. Its pulling up the extra field from the lookup now.
Get Updates on the Splunk Community!
October Community Champions: A Shoutout to Our Contributors!
As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...
Community Content Calendar, November Edition
Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
What are Community Office Hours?
Community Office Hours is an interactive 60-minute Zoom series where ...
