Log4j matching

Papemalik1 · ‎12-22-2021

Hello,

I have 2 lookups, L0011 which contains all (Known) products with the vulnerability Log4shell and L0012 with all the products and assets that I have in house.

I would like to join these 2 lookups to have at the end: all vulnerable products that I have and the assets for each products.

But so far the joining is not working. I have used the command join and lookup, i have added wildcard on the lookup definition also, but it's not working either. (the results is not exhaustive, i have very few matches)

the main issue is that the names of the products don't match identically (even with wildcard).

Do you guys have any idea on how could I do matching with my two lookups?

do not hesiate to ask if I need to clarify more.

Thanks a lot in advance

johnhuang · ‎12-22-2021

I would consider the approach of normalizing your data -- either clean up the source or lookup products field to match the other.

Log4j matching

join

lookup

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation

Log4j matching

join

lookup

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence