I am trying to compare the list of ips in my logs with the lookup table (black list) that I have. I need that my search just return the users that have the same ip as ips in the black list.My logic is that
1.Do my search :
2.search in lookuptable
3.return the rows that have the same value for src_ip
I don't know how to connect the value of my search with lookup table?
source=x |table src_user,src_ip |eval ip=src_ip | append [search inputlookup blacklist.csv ] |where src_ip=ip
lookup_ip 1.2.3.4 11.22.33.44 111.222.111.222
The you can use the following command to search these lookup_ip IPs of lookup table in you events where ip is stored in a field called src_ip as follows:
index=yourIndex source=x sourcetype=yourSourcetype [| inputlookup denylist.csv | table lookup_ip | rename lookup_ip as src_ip ]
If you want to avoid searching these denylist IPs then try:
index=yourIndex source=x sourcetype=yourSourcetype NOT ( [| inputlookup denylist.csv | table lookup_ip | rename lookup_ip as src_ip ] )
If the ip within your events is stored in some other field than src_ip then just rename the lookup_ip to that field in | rename lookup_ip as src_ip part of the above commands.
Thanks, I also tried
my search |table src_user,src_ip | iplocation src_ip|dedup src_user
,src_ip | search [inputlookup blacklist.csv ]|stats values(src_ip) by src_user
Imagine if we have another field in the backlist how I can replace its value with the value that I found in my search?