Use a single field in a lookup table to search acr...

splunkzilla · ‎02-07-2023

I have a simple lookup table that contains a list of IPs. I'd like to take this list and search across all of my indexes, which don't all use the same fields for source/destination IPs. What would be the best/most efficient way to search all of these indexes for IP matches?

bowesmana · ‎02-07-2023

best/most efficient will depends, however, you can do a couple of ways with SPL.

Assuming you have a lookup with a field called 'ip'

your_search [ | inputlookup your_ip_list.csv
  ``` Pick your lookup named ip address field ```
  | fields ip 
  ``` Now for every other field name you want to assign, create a new field
      and assign it to the same IP address ```
  | eval src_ip=ip
  | format "(" "(" "OR" ")" "OR" ")"
]

That will end up with this structure as the return from the subsearch

( ( ip="10.0.0.9" OR src_ip="10.0.0.9" ) OR ( ip="10.0.0.8" OR src_ip="10.0.0.8" ) )

Note that the first OR in the format statement will change the default AND between the same IP address to OR, allowing it to search all fields.

Note that if you have lots of IP addresses and lots of fields, this will end up as a huge subsearch, so may be less efficient than doing a simple lookup, i.e.

your_search 
| eval lookup_ip = coalesce(ip, src_ip, my_ip, xyz_ip)
| lookup your_ip_list.csv ip as lookup_ip OUTPUT ip as found

This creates a single 'lookup_ip' field which is taken from one of a range of field names and then the simple lookup will return 'found' field as the ip address if it's found

Use a single field in a lookup table to search across multiple fields?

lookup

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!