How to match lookup table of ip addresses with the existing field value of host_ip
I want to display IP addresses as a search result once it matches the value from the lookup file with the existing field host_ip addresses based on event code.
I have a list of sensitive server's IP addresses in lookup file .csv Now I would like to match IP address with the existing field host_ip based on specified event code and want to display matched IP's as a search result.
Take a look at the documentation of
As per your question, you have
host_ip field in
raw data and let suppose you have
IP field and
So run below search in order to get
matched_ip's as mentioned in your question.
<base_search> | lookup mylookup.csv IP as "host_ip" OUTPUT Event_Code | search Event_Code=* | dedup host_ip | table host_ip | rename host_ip as "Matched Host IP's"
Let me know if this helps!
Thanks for your response, As per my question I have a src field in raw data and I have a server_ip column (only one column) in csv lookup
Now I would like to configure the search query which will return the list of servers matching from lookup table to raw_field's servers value based on the given Event_Code.
I will be thankful if you can suggest here.
As there is only one column in csv. You can not match based on event code as there is no relevance of event code.
However you can still match host ips.
index=<your_index> [ | inputlookup mylookup.csv | dedup server_ip | table server_ip | rename server_ip as src ] | stats count by src | table src
If this does not work then try this
index=<your_index> | dedup src | table src |join src [| inputlookup mylookup.csv | dedup server_ip | rename server_ip as src ]
Let me know if this helps !
lookup <lookup-table-name> <lookup-field1> AS <local-field1> OUTPUTNEW <lookup-destfield1> AS <local-destfield1>, <lookup-destfield2> AS <local-destfield2>
the only thing you must be aware of, is that the local-field should exists if you use it in a lookup. mention lookup field name which you are matching with event code
<base_search>|lookup lookup.csv ip AS host_ip OUTPUTNEW ip_address
here I assume lookup field name as ip to match with host_ip in event and ip_address as field in lookup to display server's IP addresses ..so change field name as per your requirement