Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search a lookup table to find any IP addresses that match the IPs in my firewall events?

meadowh
Explorer
‎06-25-2015 02:11 AM

I have a lookup table called - c2cisp.csv. the definition is called c2cisp.
The table has a field name ip. It contains IP addresses.
I want to search through my firewall logs to check to see any events where the ip in my events field 'd_ip' matches any of the ips in the 'ip' field in my lookup table.
Seems like it should be pretty easy right?

Any help much appreciated

Tags (4)
0 Karma
Reply

meadowh
Explorer
‎06-26-2015 12:22 AM

Great thanks guys.
i had a few errors in my lookup table that caused some weird results.
All good now.

I have used this before as my guide:
search | lookup [lookup definition name] [fieldname1 in lookup table to check] as [fieldname2 in events] OUTPUT [ fieldname3 in lookuptable ] as [fieldname4 - you can create a new name] | search [fieldname4]=”*”

couldn't understand why it wasn't working this time!

Reply

matthieu_araman
Communicator
‎06-25-2015 02:30 PM

I would do something like
* | lookup c2cisp.csv ip as d_ip OUTPUT ip as c2cisp | search c2cisp=*

0 Karma
Reply

vinitatsky
Communicator
‎06-25-2015 03:30 AM

sourcetype="" | rename d_ip as ip | lookup c2cisp ip OUTPUTNEW ip | table ip,

1) | rename d_ip as ip -- Just to make sure both fields names are same (lookup field name and actual field name)
2) | lookup c2cisp ip OUTPUTNEW ip -- This command will look for 'ip' value in 'c2cisp' and will output ip field from lookup. If you want to view more fields from lookup then you can add it here.

Hope this helps.

Reply

vganjare
Builder
‎06-25-2015 02:42 AM

You can use lookup command. http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Lookup

Refer to examples section.

Thanks!!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...