Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Lookup table help

picaresqu3
Engager
‎07-30-2019 06:32 PM

Hi All,

Still learning the ropes here, but am making some dashboards and could use some help with a lookup table. I have a panel that gives me the top 10 used ports leaving my router. Would like to match the dest_port with a description for what runs on said port, which is contained in the lookup csv.

I've imported my CSV into Splunk (port_descriptions.csv) and it has 3 colums: protocol, port, description

Here is a quick shot of what it looks like:

protocol    port    description
TCP         0   Reserved
TCP         1   Port Service Multiplexer
TCP         2   Management Utility
TCP         3   Compression Process

Here is my current search, 

index=nwk AND action=allowed AND protocol=TCP
| top dest_port
| rename dest_port AS "Destination Port"
| rename count AS "Hits"
| rename percent AS "Percent of Top 10"

I've tried adding the following, but it seems to give me different results than the original search above. Not sure if i should also have the search map the protocol, too?

| lookup port_descriptions.csv port AS dest_port
| top dest_port by description

Anyway, if you've come this far, thanks for reading and trying to help a noobie out.

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-31-2019 04:16 AM

Hi picaresqu3,
try something like this:

 index=nwk action=allowed protocol=TCP
 | top dest_port
 | lookup port_descriptions.csv port AS dest_port OUTPUT description
 | rename dest_port AS "Destination Port" count AS "Hits" percent AS "Percent of Top 10" description AS Description
 | table "Destination Port" Description Hits "Percent of Top 10"

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution

picaresqu3
Engager
‎07-31-2019 08:05 AM

@gcusello thank you! I was getting duplicates in the description field since the CSV had TCP and UDP entries, but I just broke them out into 2 separate lookup table files to fix. Thank you! 😄

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-31-2019 04:16 AM

Hi picaresqu3,
try something like this:

 index=nwk action=allowed protocol=TCP
 | top dest_port
 | lookup port_descriptions.csv port AS dest_port OUTPUT description
 | rename dest_port AS "Destination Port" count AS "Hits" percent AS "Percent of Top 10" description AS Description
 | table "Destination Port" Description Hits "Percent of Top 10"

Bye.
Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-31-2019 10:33 AM

Hi picaresqu3,
if this answer helped you, please accept and/or upvote it.
Bye, see next time.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...