Splunk Search

Match value from lookup table to values of specific fields

Explorer

Hi,

How to match lookup table of ip addresses with the existing field value of host_ip

I want to display IP addresses as a search result once it matches the value from the lookup file with the existing field host_ip addresses based on event code.

I have a list of sensitive server's IP addresses in lookup file .csv Now I would like to match IP address with the existing field host_ip based on specified event code and want to display matched IP's as a search result.

Thanks

0 Karma

SplunkTrust
SplunkTrust

hey @onkarkore1

Take a look at the documentation of lookup command.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Lookup

As per your question, you have host_ip field in raw data and let suppose you have IP field and Event_Code in lookup csv.

So run below search in order to get matched_ip's as mentioned in your question.

<base_search> 
| lookup mylookup.csv IP as "host_ip" OUTPUT Event_Code 
| search Event_Code=* 
| dedup host_ip 
| table host_ip 
| rename host_ip as "Matched Host IP's"

Let me know if this helps!

0 Karma

Explorer

Hi Mayur,

Thanks for your response, As per my question I have a src field in raw data and I have a server_ip column (only one column) in csv lookup

Now I would like to configure the search query which will return the list of servers matching from lookup table to raw_field's servers value based on the given Event_Code.

I will be thankful if you can suggest here.

Thanks,

0 Karma

SplunkTrust
SplunkTrust

As there is only one column in csv. You can not match based on event code as there is no relevance of event code.
However you can still match host ips.

index=<your_index> [ | inputlookup mylookup.csv | dedup server_ip | table server_ip | rename server_ip as src ] | stats count by src | table src

If this does not work then try this

index=<your_index> | dedup src | table src |join src [| inputlookup mylookup.csv | dedup server_ip | rename server_ip as src ]

Let me know if this helps !

0 Karma

Super Champion

@onkarkore1

lookup <lookup-table-name> <lookup-field1> AS <local-field1> OUTPUTNEW <lookup-destfield1> AS <local-destfield1>, <lookup-destfield2> AS <local-destfield2>

the only thing you must be aware of, is that the local-field should exists if you use it in a lookup. mention lookup field name which you are matching with event code

<base_search>|lookup lookup.csv  ip AS host_ip OUTPUTNEW ip_address

here I assume lookup field name as ip to match with host_ip in event and ip_address as field in lookup to display server's IP addresses ..so change field name as per your requirement

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!