Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

lookup output renaming and running into issues? Trying to tstats + lookup doesn't work

avoelk
Communicator
‎01-03-2023 02:07 AM

Hello,

I have let's say "inherited" a few searches and try to understand them. here is the search:

 

| lookup lu_cisco_umbrella_top_1_million domain as ut_domain output domain as cisco_umbrella_domain
| lookup lu_majestic_top_1_million domain as ut_domain output domain as majestic_domain
| search cisco_umbrella_domain=no_matches AND majestic_domain=no_matches

 

 

where I stumble uppon now is I understand how usually I could match domain to a field in my search results and in the output match another one to another field (like in the splunk lookup examples documentation) but  I can't wrap my head around how this could work with the same field twice? I also don't see the fields majestic_domain or cisco_umbrella_domain in the previous search results so how could this possibly work? 

also, is there a way to take those two lookups and transfer it into something like this: 

 

 

.... (NOT [|inputlookup lu_majestic_top_1_million domain |table domain ]) AND (NOT [|inputlookup lu_cisco_umbrella_top_1_million |table domain ])...

 

 

I bet I work in the totally false direction seemingly so I hope someone can help 🙂 tnx a lot

Labels (1)
Labels
0 Karma
Reply

goncalocoelho
Path Finder
‎01-03-2023 04:08 AM

If I understood correctly...

If the field "domain" exists in lookup "lu_cisco_umbrella_top_1_million", then it will me mapped/outputed to "cisco_umbrella_domain" (like you have in your example).

But you will still have the initial domain field from your events, before splunk executes the both lookup commands.

Also, instead of this line:

| search cisco_umbrella_domain=no_matches AND majestic_domain=no_matches

I would write something like:

| where isnull(cisco_umbrella_domain) AND isnull(majestic_domain)

 

Reply

avoelk
Communicator
‎01-04-2023 01:09 AM

Hello,

so basically both lookups have a lookup definition in which there should be a minimum match of 1. for all other occations (no match) the value no_match will be outputed.

Now, each lookup shows whether for example the ip_address matches with what is in the lookup, if it does it outputs it into the corresponding field. if not, it outputs the value "no_match". 

this is done for both lookups so in the end I have a table with at least two rows of ips and occationally instead of an ip a no_match. 

in the end (hence the |search) I'm looking for Ips in which there is no match in both lookups. 

now when I first tried it with |inputlookup I didn't realize it doesn't give me the same results. because I did it like this: 

 

NOT [|inputlookup <lookupname>| table ip_address]

 

 which doesn't look for matches but rather neglects anything that is in the lookup and the field ip_address. 

the only reason I'm using an inputlookup instead of the |lookup command is that I'm trying to use it within a tstats command. I've managed to incorporate the inputlookup, but I can't really see how to use the lookup. I think I can't just go on with an |lookup command after the tstats by commant correct? 

because I do't get any results when I try this:

<base search with tstats>
| lookup lu_cisco_umbrella_top_1_million domain as ut_domain output domain as cisco_umbrella_domain
| lookup lu_majestic_top_1_million domain as ut_domain output domain as majestic_domain
| search cisco_umbrella_domain=no_matches AND majestic_domain=no_matches
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...