Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Lookup in main search and subsearch - how to compare the results?

dsms
Engager
‎09-04-2023 12:23 PM

Hello 🙂
I want to find in subsearch autonomous_system for the IP address which I provided (in this example for 1.1.1.1) . Next, based on the name of the autonomous_system returned from subsearch, I want to find all IP addresses connecting to my network that belongs to that autonomous_system
For now I have something like that:

index=firewall src_ip=*
| lookup asn ip as src_ip

[search index=firewall  src_ip=1.1.1.1
| fields src_ip
| lookup asn ip as src_ip
| rename autonomous_system AS subsearch_autonomous_system
| dedup subsearch_autonomous_system]

| stats values(src_ip) by subsearch_autonomous_system

But when I run this search I got error:
Error in 'lookup' command: Cannot find the source field '(' in the lookup table 'asn'.

Can anyone help me with that?

Regards
Daniel

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-04-2023 03:42 PM

Your subsearch is in the wrong place - it should be a constraint to the outer search, whereas now it is attached to your lookup statement on your second line, hence the error.

There are a couple of ways to solve this

1. Make the lookup an automatic lookup. That means the outer search will already have the autonomous_system value from the event's src_ip. In that case you can do the search like this

index=firewall src_ip=* 
[ 
  | makereults
  | eval src_ip=1.1.1.1
  | lookup asn ip as src_ip
  | fields autonomous_system
]
| stats values(src_ip) by autonomous_system

There is no point in searching the index in the subsearch just to construct a lookup for an IP address, just use makeresults to perform the lookup.

2. If you do not already have the autonomous_subysystem in your data you can't use a subsearch to constrain it, so you will have to do the lookup twice, the first time to get the subsystem for the event and the second to get the subsystem of the wanted match IP (1.1.1.1), so the search is

index=firewall src_ip=* 
| lookup asn ip as src_ip
| eval match_src_ip=1.1.1.1
| lookup asn ip as match_src_ip OUTPUT autonomous_system as wanted_autonomous_system
| where autonomous_system=wanted_autonomous_system
| stats values(src_ip) by autonomous_system

Hope this helps

View solution in original post

Reply
Solved! Jump to solution

dsms
Engager
‎09-11-2023 01:17 AM

Thank you for such detailed explanation 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-04-2023 03:42 PM

Your subsearch is in the wrong place - it should be a constraint to the outer search, whereas now it is attached to your lookup statement on your second line, hence the error.

There are a couple of ways to solve this

1. Make the lookup an automatic lookup. That means the outer search will already have the autonomous_system value from the event's src_ip. In that case you can do the search like this

index=firewall src_ip=* 
[ 
  | makereults
  | eval src_ip=1.1.1.1
  | lookup asn ip as src_ip
  | fields autonomous_system
]
| stats values(src_ip) by autonomous_system

There is no point in searching the index in the subsearch just to construct a lookup for an IP address, just use makeresults to perform the lookup.

2. If you do not already have the autonomous_subysystem in your data you can't use a subsearch to constrain it, so you will have to do the lookup twice, the first time to get the subsystem for the event and the second to get the subsystem of the wanted match IP (1.1.1.1), so the search is

index=firewall src_ip=* 
| lookup asn ip as src_ip
| eval match_src_ip=1.1.1.1
| lookup asn ip as match_src_ip OUTPUT autonomous_system as wanted_autonomous_system
| where autonomous_system=wanted_autonomous_system
| stats values(src_ip) by autonomous_system

Hope this helps

Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...