Solved: Using lookup table as source for search

tmwhitm · ‎12-08-2017

I am looking for a way to perform a search and produce results matching search results against a lookup table or vice versa. The scenario is a lookup table with two columns, IP & Description. I wish to run a search and produce results on the IP addresses that match the IP addresses in the lookup table. My syntax is not correct on what I have been able to test, see below for the SPL I was using. I know there must be a straight forward way to accomplish this task. Much appreciated for any support.

Thank you,
Tom

index="network" sourcetype="cisco:asa" | join srcip [ search inputlookup append=t FLASHAB000089 | rename IPAddr as srcip]

elliotproebstel · ‎12-08-2017

Here's the syntax I use for such cases:

index="network" sourcetype="cisco:asa" 
[ | inputlookup FLASHAB000089 
  | stats values(IPAddr) as src_ip 
  | format ]

View solution in original post

tmwhitm · ‎06-06-2018

The syntax in the accepted answer works great but when I create a lookup table with UrLs, it does not work. Any ideas on how to use a lookup table with UrLs? I have SPL like this that isn't working,

The lookup table UrL-Input contains two columns, URL & Description.

Any assistance is appreciated.

Tom

tmwhitm · ‎12-08-2017

Just tried it and working with a control IP i added to the lookup table. Thank you very much!

elliotproebstel · ‎12-08-2017

Here's the syntax I use for such cases:

index="network" sourcetype="cisco:asa" 
[ | inputlookup FLASHAB000089 
  | stats values(IPAddr) as src_ip 
  | format ]

View solution in original post