Splunk Search

Index <--> KV lookup column issue


So, I have an issue when I try to lookup KV store to columns in a data model based on a eval function.

So to give more context and better understanding, I have firewall logs with the following fields:
{ src_ip, src_port, dest_ip, dest_port }

I have a kvstore1 lookup with columns as: { ipAddress, score }
I have a kvstore2 lookup with columns as: { critical_ipAddress }

What I'm trying to achieve:
Show scores (from kvstore1) for ipAddress from firewall logs (both, src_ip and dest_ip) IF they are critical (from kvstore2)

So I created a data model.
Global Search: eventtype = "firewall-logs" -> That gives me the base search.
Now adding child: is where I'm stuck?

  1. I need to perform either DUAL lookup with kvstore2 mapping src_ip <-> ipAddress & dest_ip <-> ipAddress. Would this be using EVAL?
  2. Then, perform lookup of the result of (1) with kvstore1 to map to scores.

How would one perform these ?

0 Karma