Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Whitelisting using lookups

lemikg
Communicator
‎02-22-2013 08:54 AM

Hi,

I don't know if this is the right way to do it, but I have a list of COMMANDS which I have associated a Classification (name).

This search gives me a table with PID, COMMAND count and Classification and some of those results in the field Classification have blanks in it.

sourcetype=top COMMAND | multikv | rex field=COMMAND "^(?.+?)\/" | rex field=COMMAND "^(?.+?)_" | dedup COMMAND | stats count by PID, COMMAND | lookup command_lookup.csv COMMAND AS COMMAND OUTPUT Classification AS Classification | eval Classification=if(isnull(Classification),command_lookup.csv,Classification)
What I am trying is to let Splunk write "NULL" in that field if it doesn't find a match in the lookup file.
Or maybe the search query is just wrong.

Can anybody help me here?

thanks in advance.

regards
Mike

Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎02-22-2013 09:13 AM

Well, if I understand the question properly, your goal is to have a lookup table return a default value if the key does not exist in the lookup. One way to accomplish this is by defining the lookup in transforms.conf and setting a default match there. A stanza similar to this should do it.

[command_lookup]
filename=command_lookup.csv
min_matches = 1
default_match = NULL

Now your lookup command in your search changes to:

... | lookup command_lookup COMMAND AS COMMAND OUTPUT Classification AS Classification

Since the stanza defines the filename

One approach for post-processing exclusively in the search language is eval and its coalesce command. You can do something like this:

| eval Classification=coalesce(Classification,'NULL')

The coalesce command returns the first non-empty value among its arguments.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎02-22-2013 09:13 AM

Well, if I understand the question properly, your goal is to have a lookup table return a default value if the key does not exist in the lookup. One way to accomplish this is by defining the lookup in transforms.conf and setting a default match there. A stanza similar to this should do it.

[command_lookup]
filename=command_lookup.csv
min_matches = 1
default_match = NULL

Now your lookup command in your search changes to:

... | lookup command_lookup COMMAND AS COMMAND OUTPUT Classification AS Classification

Since the stanza defines the filename

One approach for post-processing exclusively in the search language is eval and its coalesce command. You can do something like this:

| eval Classification=coalesce(Classification,'NULL')

The coalesce command returns the first non-empty value among its arguments.

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎02-24-2013 04:49 AM

Here is a tutorial on how to setup a lookup. It can be done entirely from the Splunk GUI.
http://docs.splunk.com/Documentation/Splunk/latest/Tutorial/Usefieldlookups

Reply
Solved! Jump to solution

lemikg
Communicator
‎02-22-2013 11:14 AM

Hi dwaddle, thanks for your feedback. Unfortunately I am not familiar with the stanza setup and in addition to that I have limited access (web interface only).

I would appreciate a search command solution.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...