Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Lookup table to a lookup table. Examples please.....

TheMarkHodgkins
Explorer
‎11-09-2011 04:32 AM

Pardon my newbie'ness 😆

Does anyone have an example where Search results are matched to table entries (simple CSV should be fine) - but then are matched (counted) to a further table entry, e.g.

Search results generate a count respectively of items from the lookup table like.

a). Restricted application
b). host-sweep
c). read-exposure
d). privileged access
e). protocol violation
f). code execution
g). buffer overflow
h). dos
i). statistical deviation
j). remote access
k). restriced access
l). service sweep
m). write exposure
n). port-scan
o). arbitrary command execution
etc

But then those being further broken down against a further lookup table to make a more consolidated count of : -

a). Policy Violation.
b). Reconaissance attacks
c). Exploit
d). Volume DOS
e). Malware.

Hope that clear and you can see my problem 😆

Thanks

Mark

Tags (3)
0 Karma
Reply

_d_
Splunk Employee
Splunk Employee
‎11-09-2011 05:45 AM

You can have a lookup table as such:

input_field, attack_type, attack_family

field1, Restricted application, Policy Violation

field13, privileged access, Policy Violation

field2, host sweep, Reconaissance attacks

field3, service sweep, Reconaissance attacks

field4, port scan, Reconaissance attacks

Then, you can do lookups on (and run stats to get counts of) both, the attack_type and attack_family.

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...