Splunk Search

inputlookup compare the field values in my logs with lookup table

nazanin2016
Path Finder

I am trying to compare the list of ips in my logs with the lookup table (black list) that I have. I need that my search just return the users that have the same ip as ips in the black list.My logic is that
1.Do my search :
2.search in lookuptable
3.return the rows that have the same value for src_ip
I don't know how to connect the value of my search with lookup table?
source=x |table src_user,src_ip |eval ip=src_ip | append [search inputlookup blacklist.csv ] |where src_ip=ip

Tags (2)
0 Karma

gokadroid
Motivator
  • Editing response to change the csv name 06/18/2021
    Let's say ip's within the lookup ‘denylist.csv’ are called ‘lookup_ip’ and your csv looks like this:
lookup_ip
1.2.3.4
11.22.33.44
111.222.111.222

The you can use the following command to search these lookup_ip IPs of lookup table in you events where ip is stored in a field called src_ip as follows:

index=yourIndex source=x sourcetype=yourSourcetype [| inputlookup denylist.csv | table lookup_ip | rename lookup_ip as src_ip ]

If you want to avoid searching these denylist IPs then try:

index=yourIndex source=x sourcetype=yourSourcetype NOT ( [| inputlookup denylist.csv | table lookup_ip | rename lookup_ip as src_ip ] )

If the ip within your events is stored in some other field than src_ip then just rename the lookup_ip to that field in | rename lookup_ip as src_ip part of the above commands.

nazanin2016
Path Finder

Thanks, I also tried
my search |table src_user,src_ip | iplocation src_ip|dedup src_user

,src_ip | search [inputlookup blacklist.csv ]|stats values(src_ip) by src_user

Imagine if we have another field in the backlist how I can replace its value with the value that I found in my search?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...