Splunk Search

Should I use lookup or inputlookup in search?

mohsplunking
Explorer

Hello Splunkers,

Please if someone can help me with a Splunk query,

I have a list of IPs I imported in lookup table, I want to grab the FW traffic where dest_ip in the FW logs matches my lookup list of IPs, I'm confused what command i should use in search "inputlook" or "lookup.

Moreover, I would be grateful is someone can explain me the difference beteween inputlook and lookup with an example.

Thank you,

 

Moh

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @mohsplunking,

if you have different field names between main and sub search, you have to rename one of them to have the same field name in both.

So if the field in the lookup is called "blackip" and the field in the main search is "dest_ip", you have to rename it:

index=fw [ | inputlookup blackip.csv | rename blackip AS dest_ip | fields dest_ip ] 
| stats values(src_ip) AS src_ip values(dest_ip) AS dest_ip by port

I hint to use a different field as grouping field because port could be too generic and has too many values in src_ip and dest_ip, I'd use src_ip having port as values:

index=fw [ | inputlookup blackip.csv | rename blackip AS dest_ip | fields dest_ip ] 
| stats values(port) AS port values(dest_ip) AS dest_ip by src_ip

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @mohsplunking,

lookup command is used to enrich results with the content of the lookup joining them with the main search results.

inputlookup is used in the main search or in subsearches.

If you want to filter results of the main search it's better to use inputlookup,

index=your_index [ | inputlookup your_lookup.csv | fields your_key_field ]
| ...

but it's also possible to use lookup with a following search command.

index=your_index 
| lookup your_lookup.csv your_key_field
| search one_lookup_field_not_present_in_the_main_search=*
| ...

The choose depends on the search:

if you want to implement an exclusion filter (NOT [ | inputlookup ...]) it's better to use inputlookup.

If you have to implement a positive filter ([ | inputlookup ...]) and you don't need to use the other fields of the lookup to enrich results, you can use inputlookup;

if instead you have a positive filter and you want to have also some fields from the lookup, it's easier to use lookup with a following search command.

Ciao.

Giuseppe

mohsplunking
Explorer

Hello GC,

Thanks for your response and help , however, I still have a bit of confusion, where in this search I'm telling my dest_ip value from the indexed field should match my lookup field "blackip" value.

And when you say your_key_filed is this the indexed field or the lookup fieldname, Lets take the 1st search you gave as example and please advise if this is any good and will show me the results as src,dst,port where dst should be only the one that are matched from my lookup table.

index=fw [ | inputlookup blackip.csv | fields dest_ip ] | stats values(src_ip) values(dest_ip) by port

 

 

Thanks,

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mohsplunking,

if you have different field names between main and sub search, you have to rename one of them to have the same field name in both.

So if the field in the lookup is called "blackip" and the field in the main search is "dest_ip", you have to rename it:

index=fw [ | inputlookup blackip.csv | rename blackip AS dest_ip | fields dest_ip ] 
| stats values(src_ip) AS src_ip values(dest_ip) AS dest_ip by port

I hint to use a different field as grouping field because port could be too generic and has too many values in src_ip and dest_ip, I'd use src_ip having port as values:

index=fw [ | inputlookup blackip.csv | rename blackip AS dest_ip | fields dest_ip ] 
| stats values(port) AS port values(dest_ip) AS dest_ip by src_ip

Ciao.

Giuseppe

mohsplunking
Explorer

Thanks a billion  @gcusello  it was great explanations from you I got the results I wanted.

0 Karma
Get Updates on the Splunk Community!

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...