Solved: Re: Search a Datamodel using field values from a l...

mztopp · ‎02-15-2021

I have a lookup: test.csv that has a list of 10 IP's (src_ip). I want to be able to search a datamodel that looks for traffic from those 10 IPs in the CSV from the lookup and displays info on the IPs even if it doesn't match. Currently I have tried:

| tstats count from datamodel=DM where
[| inputlookup test.csv | rename src_ip to DM.src_ip
| fields DM.src_ip]
by DM.src_ip

| rename DM.src_ip AS src_ip

| iplocation src_ip

| fillnull value="NULL"

| table src_ip, Country

The issue is that if the IP from the lookup isnt found in the DataModel, it doesn't include that entire line, so instead of 10 IPs with 10 countries, I get maybe 5-6 IPs and their respective countries. I want the DM to always include all 10 IPs from the lookup in the table. I understand that I can just use the lookup to get countries, but I specifically want to have the datamodel available for other data while always including all 10 IPs in the table.

PradReddy · ‎02-15-2021

If current DM doesn't bring all src_ip related information from subsearch then you can add all src_ip's using an additional inputlookup and append it to DM results

View solution in original post

PradReddy · ‎02-15-2021

If current DM doesn't bring all src_ip related information from subsearch then you can add all src_ip's using an additional inputlookup and append it to DM results

Search a Datamodel using field values from a lookup csv file

lookup

table

tstats

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?