Splunk Search

INPUTLOOKUP -- Match against field1 OR field2

vragosta
Path Finder

I am searching some firewall logs against a lookup file using INPUTLOOKUP. I don't care if the IP addresses in the lookup file match the source IP field (src_ip) or destination IP field (dest_ip) in the firewall logs. Is this the only way to craft such a search:

source="udp:514" [| inputlookup hostile_ip2.csv | fields src_ip] OR [| inputlookup hostile_ip2.csv | fields dest_ip]

I'm not sure how efficient this search is, or if it's exactly what I am looking for. It appears to be working as intended.

Thank you,

Tags (1)

somesoni2
Revered Legend

Try following-

source="udp:514" [|inputlookup hostile_ip2.csv | eval src_ip=hostile_ip| eval dest_ip=hostile_ip| table src_ip, dest_ip| format "(" "(" "OR" ")" "OR" ")" ] 

Assumption
1. hostile_ip2.csv file contains only one fields "hostile_ip".
2. You need to list all the events from Firewall logs (which contains two fields src_ip and dest_ip) where any of src_ip or dest_ip matches hostile_ip.

the_wolverine
Champion

You could use format to specify OR instead of the default AND:

 source="udp:514" [ | inputlookup hostile_ip2.csv | fields src_ip,dest_ip | format "(" "(" "AND" ")" "OR" ")" ]
0 Karma

jpass
Contributor

One way is to search the entire _raw field instead of searching by field. You might need to reformat your .csv so it only has a single column. You rename your field "query" which is a reserved keyword or something like that. Here's where I found this answer:

http://answers.splunk.com/answers/38520/how-to-generate-a-report-for-searching-the-request-from-huge...

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...