Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Whitelisting using lookups

lemikg
Communicator
‎02-22-2013 08:54 AM

Hi,

I don't know if this is the right way to do it, but I have a list of COMMANDS which I have associated a Classification (name).

This search gives me a table with PID, COMMAND count and Classification and some of those results in the field Classification have blanks in it.

sourcetype=top COMMAND | multikv | rex field=COMMAND "^(?.+?)\/" | rex field=COMMAND "^(?.+?)_" | dedup COMMAND | stats count by PID, COMMAND | lookup command_lookup.csv COMMAND AS COMMAND OUTPUT Classification AS Classification | eval Classification=if(isnull(Classification),command_lookup.csv,Classification)
What I am trying is to let Splunk write "NULL" in that field if it doesn't find a match in the lookup file.
Or maybe the search query is just wrong.

Can anybody help me here?

thanks in advance.

regards
Mike

Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎02-22-2013 09:13 AM

Well, if I understand the question properly, your goal is to have a lookup table return a default value if the key does not exist in the lookup. One way to accomplish this is by defining the lookup in transforms.conf and setting a default match there. A stanza similar to this should do it.

[command_lookup]
filename=command_lookup.csv
min_matches = 1
default_match = NULL

Now your lookup command in your search changes to:

... | lookup command_lookup COMMAND AS COMMAND OUTPUT Classification AS Classification

Since the stanza defines the filename

One approach for post-processing exclusively in the search language is eval and its coalesce command. You can do something like this:

| eval Classification=coalesce(Classification,'NULL')

The coalesce command returns the first non-empty value among its arguments.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎02-22-2013 09:13 AM

Well, if I understand the question properly, your goal is to have a lookup table return a default value if the key does not exist in the lookup. One way to accomplish this is by defining the lookup in transforms.conf and setting a default match there. A stanza similar to this should do it.

[command_lookup]
filename=command_lookup.csv
min_matches = 1
default_match = NULL

Now your lookup command in your search changes to:

... | lookup command_lookup COMMAND AS COMMAND OUTPUT Classification AS Classification

Since the stanza defines the filename

One approach for post-processing exclusively in the search language is eval and its coalesce command. You can do something like this:

| eval Classification=coalesce(Classification,'NULL')

The coalesce command returns the first non-empty value among its arguments.

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎02-24-2013 04:49 AM

Here is a tutorial on how to setup a lookup. It can be done entirely from the Splunk GUI.
http://docs.splunk.com/Documentation/Splunk/latest/Tutorial/Usefieldlookups

Reply
Solved! Jump to solution

lemikg
Communicator
‎02-22-2013 11:14 AM

Hi dwaddle, thanks for your feedback. Unfortunately I am not familiar with the stanza setup and in addition to that I have limited access (web interface only).

I would appreciate a search command solution.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...