Splunk Search

lookup output renaming and running into issues? Trying to tstats + lookup doesn't work

avoelk
Communicator

Hello,

I have let's say "inherited" a few searches and try to understand them. here is the search:

 

| lookup lu_cisco_umbrella_top_1_million domain as ut_domain output domain as cisco_umbrella_domain
| lookup lu_majestic_top_1_million domain as ut_domain output domain as majestic_domain
| search cisco_umbrella_domain=no_matches AND majestic_domain=no_matches

 

 

where I stumble uppon now is I understand how usually I could match domain to a field in my search results and in the output match another one to another field (like in the splunk lookup examples documentation) but  I can't wrap my head around how this could work with the same field twice? I also don't see the fields majestic_domain or cisco_umbrella_domain in the previous search results so how could this possibly work? 

also, is there a way to take those two lookups and transfer it into something like this: 

 

 

.... (NOT [|inputlookup lu_majestic_top_1_million domain |table domain ]) AND (NOT [|inputlookup lu_cisco_umbrella_top_1_million |table domain ])...

 

 

I bet I work in the totally false direction seemingly so I hope someone can help 🙂 tnx a lot

Labels (1)
0 Karma

goncalocoelho
Path Finder

If I understood correctly...

If the field "domain" exists in lookup "lu_cisco_umbrella_top_1_million", then it will me mapped/outputed to "cisco_umbrella_domain" (like you have in your example).

But you will still have the initial domain field from your events, before splunk executes the both lookup commands.

Also, instead of this line:

| search cisco_umbrella_domain=no_matches AND majestic_domain=no_matches

I would write something like:

| where isnull(cisco_umbrella_domain) AND isnull(majestic_domain)

 

avoelk
Communicator

Hello,

so basically both lookups have a lookup definition in which there should be a minimum match of 1. for all other occations (no match) the value no_match will be outputed.

Now, each lookup shows whether for example the ip_address matches with what is in the lookup, if it does it outputs it into the corresponding field. if not, it outputs the value "no_match". 

this is done for both lookups so in the end I have a table with at least two rows of ips and occationally instead of an ip a no_match. 

in the end (hence the |search) I'm looking for Ips in which there is no match in both lookups. 

now when I first tried it with |inputlookup I didn't realize it doesn't give me the same results. because I did it like this: 

 

NOT [|inputlookup <lookupname>| table ip_address]

 

 which doesn't look for matches but rather neglects anything that is in the lookup and the field ip_address. 

the only reason I'm using an inputlookup instead of the |lookup command is that I'm trying to use it within a tstats command. I've managed to incorporate the inputlookup, but I can't really see how to use the lookup. I think I can't just go on with an |lookup command after the tstats by commant correct? 

because I do't get any results when I try this:

<base search with tstats>
| lookup lu_cisco_umbrella_top_1_million domain as ut_domain output domain as cisco_umbrella_domain
| lookup lu_majestic_top_1_million domain as ut_domain output domain as majestic_domain
| search cisco_umbrella_domain=no_matches AND majestic_domain=no_matches
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...