Lookup table to a lookup table. Examples please......

TheMarkHodgkins · ‎11-09-2011

Pardon my newbie'ness 😆

Does anyone have an example where Search results are matched to table entries (simple CSV should be fine) - but then are matched (counted) to a further table entry, e.g.

Search results generate a count respectively of items from the lookup table like.

a). Restricted application
b). host-sweep
c). read-exposure
d). privileged access
e). protocol violation
f). code execution
g). buffer overflow
h). dos
i). statistical deviation
j). remote access
k). restriced access
l). service sweep
m). write exposure
n). port-scan
o). arbitrary command execution
etc

But then those being further broken down against a further lookup table to make a more consolidated count of : -

a). Policy Violation.
b). Reconaissance attacks
c). Exploit
d). Volume DOS
e). Malware.

Hope that clear and you can see my problem 😆

Thanks

Mark

_d_ · ‎11-09-2011

You can have a lookup table as such:

input_field, attack_type, attack_family

field1, Restricted application, Policy Violation

field13, privileged access, Policy Violation

field2, host sweep, Reconaissance attacks

field3, service sweep, Reconaissance attacks

field4, port scan, Reconaissance attacks

Then, you can do lookups on (and run stats to get counts of) both, the attack_type and attack_family.

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

Lookup table to a lookup table. Examples please.....

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Join the Conversation