Splunk Search

How to include additional field from inputlookup in results?

sonicZ
Contributor

Currently i am populating my summary index with a list of malware listed ips with

index=blah OR index=blah2 OR index=blah3 NOT uri="/dot_clear.gif"  [ | inputlookup watchlist_ip_lookup  
    | rename watch_ip as clientip | fields + clientip ] 
| dedup clientip 
| lookup ga ip as clientip 
| table date_month, date_mday, date_hour, date_minute, date_year, clientip, country, org, status, referer, uri, host, source, sourcetype, index, other

the inputlookup watchlist_ip_lookup.csv file has two columns, the watch_type is optional as sometimes it's blank

 watch_ip, watch_type
    2.187.19.0, C2
    49.244.116.184,
    46.63.167.216, C2
    .... etc

How would i include the watch_type field in all the results for my summary index?

Tags (2)
1 Solution

lguinn2
Legend

Will this work?

index=blah OR index=blah2 OR index=blah3 NOT uri="/dot_clear.gif"  [ | inputlookup watchlist_ip_lookup  
    | rename watch_ip as clientip | fields + clientip ] 
| dedup clientip 
| lookup ga ip as clientip 
| lookup watchlist_ip_lookup watch_ip as clientip OUTPUT watch_type 
| table date_month, date_mday, date_hour, date_minute, date_year, clientip, country, org, status, referer, uri, host, source, sourcetype, index, other, watch_type

View solution in original post

lguinn2
Legend

Will this work?

index=blah OR index=blah2 OR index=blah3 NOT uri="/dot_clear.gif"  [ | inputlookup watchlist_ip_lookup  
    | rename watch_ip as clientip | fields + clientip ] 
| dedup clientip 
| lookup ga ip as clientip 
| lookup watchlist_ip_lookup watch_ip as clientip OUTPUT watch_type 
| table date_month, date_mday, date_hour, date_minute, date_year, clientip, country, org, status, referer, uri, host, source, sourcetype, index, other, watch_type

sadkha
Path Finder

I have a similar issue however I'm using a dnslookup. I've tried a few variations however, i can't seem to get the dnslookup result to appear on the table.

index=xxx sourcetype="WinEventLog:Security" "EventCode=644" OR "EventCode=4740"  
| eval Win2K8_acc= mvindex(Account_Name,1)  
| eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name) 
| dnslookup forward ComputerName Client_Address 
| table account_domain account_name ComputerName Caller_Computer_Name Client_Address

In the above example, the "Client_Address" field is ooming up blank. Any ideas? thanks in advance!

0 Karma

lguinn2
Legend

@sadkha - the syntax is wrong for your lookup in the fourth line. Here is a link to the lookup command. So I think that what you want might be:

 | lookup dnslookup  clientip as Client_Address  OUTPUT clienthost as ComputerName 

But I am not sure that I know what your field names are...

0 Karma

santhosh2kece
Engager

I was looking for a similar output and the above search worked. Thanks.

0 Karma

sonicZ
Contributor

Awesome thanks Lisa, that outer lookup was the trick. Its pulling up the extra field from the lookup now.

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Hi Splunky people! We are excited to share the newest updates in Splunk Enterprise 9.3!Admins and Analyst can ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...