Splunk Search

Whitelisting using lookups

Communicator

Hi,

I don't know if this is the right way to do it, but I have a list of COMMANDS which I have associated a Classification (name).

This search gives me a table with PID, COMMAND count and Classification and some of those results in the field Classification have blanks in it.

sourcetype=top COMMAND | multikv | rex field=COMMAND "^(?.+?)\/" | rex field=COMMAND "^(?.+?)_" | dedup COMMAND | stats count by PID, COMMAND | lookup commandlookup.csv COMMAND AS COMMAND OUTPUT Classification AS Classification | eval Classification=if(isnull(Classification),commandlookup.csv,Classification)
What I am trying is to let Splunk write "NULL" in that field if it doesn't find a match in the lookup file.
Or maybe the search query is just wrong.

Can anybody help me here?

thanks in advance.

regards
Mike

1 Solution

SplunkTrust
SplunkTrust

Well, if I understand the question properly, your goal is to have a lookup table return a default value if the key does not exist in the lookup. One way to accomplish this is by defining the lookup in transforms.conf and setting a default match there. A stanza similar to this should do it.

[command_lookup]
filename=command_lookup.csv
min_matches = 1
default_match = NULL

Now your lookup command in your search changes to:

... | lookup command_lookup COMMAND AS COMMAND OUTPUT Classification AS Classification 

Since the stanza defines the filename


One approach for post-processing exclusively in the search language is eval and its coalesce command. You can do something like this:

| eval Classification=coalesce(Classification,'NULL')

The coalesce command returns the first non-empty value among its arguments.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Well, if I understand the question properly, your goal is to have a lookup table return a default value if the key does not exist in the lookup. One way to accomplish this is by defining the lookup in transforms.conf and setting a default match there. A stanza similar to this should do it.

[command_lookup]
filename=command_lookup.csv
min_matches = 1
default_match = NULL

Now your lookup command in your search changes to:

... | lookup command_lookup COMMAND AS COMMAND OUTPUT Classification AS Classification 

Since the stanza defines the filename


One approach for post-processing exclusively in the search language is eval and its coalesce command. You can do something like this:

| eval Classification=coalesce(Classification,'NULL')

The coalesce command returns the first non-empty value among its arguments.

View solution in original post

0 Karma

Legend

Here is a tutorial on how to setup a lookup. It can be done entirely from the Splunk GUI.
http://docs.splunk.com/Documentation/Splunk/latest/Tutorial/Usefieldlookups

Communicator

Hi dwaddle, thanks for your feedback. Unfortunately I am not familiar with the stanza setup and in addition to that I have limited access (web interface only).

I would appreciate a search command solution.

0 Karma