Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Lookup Table Comparison with field and to return field value that is not in the lookup

peetchow
Loves-to-Learn Lots
‎12-11-2020 11:18 AM

All,

I know there are a lot of postings with answers on lookup tables but I am still stuck.  I have not splunked in a few years and i hit a wall even when looking back at some of my old saved strings.

I have a csv file that has 2 columns.  One that contains IPAddress and the other that has SubnetMasks

I am searching in my logs for IPAdresses that i want to compare with the IPAddresses that are in the lookup csv file.  if the IPAddresses are not found ... then display them in a table.

MY query is as follows:

index=blah  field3="*" | fields field3 field4 | dedup field3 | rename field3 as Source_IP | lookup ip_whitelist IPAddress AS Source_IP | eval InWhitelist="Yes" | table Source_IP IPAddress field4 InWhitelist | where InWhitelist="Yes" | sort -Source_IP

  • where field3 is the field with the IP Addresses (extracted from delimited extractions)
  • where field4 is the field that has the hostname

This spits out a nice table but i notice IPs that are not in my whitelist are showing up.

What is wrong here !? 

Your help is greatly appreciated ! 

Thanks

P

Labels (1)
Labels
0 Karma
Reply

peetchow
Loves-to-Learn Lots
‎12-30-2020 02:48 PM

Sadly it did not work, any IP i put in for field3 (whether in the whitelist or not) displayed in a table with value of "Yes" for InWhitelist 

Also field4 that holds the hostname does not carry over to the table 

 

0 Karma
Reply

saravanan90
Contributor
‎12-19-2020 11:19 AM

This may help...

Below will search in the lookup and pull the results when the ip is not available in lookup.

| makeresults | eval field3="192.168.1.6", field4="hostname" | fields field3 field4 | dedup field3 | rename field3 as Source_IP | lookup ip_whitelist  IPAddresses AS Source_IP | eval InWhitelist=if(isnull(SubnetMasks),"Yes","No") | table Source_IP field4 InWhitelist SubnetMasks | where InWhitelist="Yes"

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...