Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

INPUTLOOKUP -- Match against field1 OR field2

vragosta
Path Finder
‎06-13-2013 06:35 AM

I am searching some firewall logs against a lookup file using INPUTLOOKUP. I don't care if the IP addresses in the lookup file match the source IP field (src_ip) or destination IP field (dest_ip) in the firewall logs. Is this the only way to craft such a search:

source="udp:514" [| inputlookup hostile_ip2.csv | fields src_ip] OR [| inputlookup hostile_ip2.csv | fields dest_ip]

I'm not sure how efficient this search is, or if it's exactly what I am looking for. It appears to be working as intended.

Thank you,

Tags (1)
Reply

somesoni2
Revered Legend
‎01-07-2014 12:49 PM

Try following-

source="udp:514" [|inputlookup hostile_ip2.csv | eval src_ip=hostile_ip| eval dest_ip=hostile_ip| table src_ip, dest_ip| format "(" "(" "OR" ")" "OR" ")" ]

Assumption
1. hostile_ip2.csv file contains only one fields "hostile_ip".
2. You need to list all the events from Firewall logs (which contains two fields src_ip and dest_ip) where any of src_ip or dest_ip matches hostile_ip.

Reply

the_wolverine
Champion
‎01-07-2014 11:48 AM

You could use format to specify OR instead of the default AND:

 source="udp:514" [ | inputlookup hostile_ip2.csv | fields src_ip,dest_ip | format "(" "(" "AND" ")" "OR" ")" ]
0 Karma
Reply

jpass
Contributor
‎08-28-2013 07:06 PM

One way is to search the entire _raw field instead of searching by field. You might need to reformat your .csv so it only has a single column. You rename your field "query" which is a reserved keyword or something like that. Here's where I found this answer:

http://answers.splunk.com/answers/38520/how-to-generate-a-report-for-searching-the-request-from-huge...

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...