I have let's say "inherited" a few searches and try to understand them. here is the search:
| lookup lu_cisco_umbrella_top_1_million domain as ut_domain output domain as cisco_umbrella_domain | lookup lu_majestic_top_1_million domain as ut_domain output domain as majestic_domain | search cisco_umbrella_domain=no_matches AND majestic_domain=no_matches
where I stumble uppon now is I understand how usually I could match domain to a field in my search results and in the output match another one to another field (like in the splunk lookup examples documentation) but I can't wrap my head around how this could work with the same field twice? I also don't see the fields majestic_domain or cisco_umbrella_domain in the previous search results so how could this possibly work?
also, is there a way to take those two lookups and transfer it into something like this:
.... (NOT [|inputlookup lu_majestic_top_1_million domain |table domain ]) AND (NOT [|inputlookup lu_cisco_umbrella_top_1_million |table domain ])...
I bet I work in the totally false direction seemingly so I hope someone can help 🙂 tnx a lot
If I understood correctly...
If the field "domain" exists in lookup "lu_cisco_umbrella_top_1_million", then it will me mapped/outputed to "cisco_umbrella_domain" (like you have in your example).
But you will still have the initial domain field from your events, before splunk executes the both lookup commands.
Also, instead of this line:
| search cisco_umbrella_domain=no_matches AND majestic_domain=no_matches
I would write something like:
| where isnull(cisco_umbrella_domain) AND isnull(majestic_domain)
so basically both lookups have a lookup definition in which there should be a minimum match of 1. for all other occations (no match) the value no_match will be outputed.
Now, each lookup shows whether for example the ip_address matches with what is in the lookup, if it does it outputs it into the corresponding field. if not, it outputs the value "no_match".
this is done for both lookups so in the end I have a table with at least two rows of ips and occationally instead of an ip a no_match.
in the end (hence the |search) I'm looking for Ips in which there is no match in both lookups.
now when I first tried it with |inputlookup I didn't realize it doesn't give me the same results. because I did it like this:
NOT [|inputlookup <lookupname>| table ip_address]
which doesn't look for matches but rather neglects anything that is in the lookup and the field ip_address.
the only reason I'm using an inputlookup instead of the |lookup command is that I'm trying to use it within a tstats command. I've managed to incorporate the inputlookup, but I can't really see how to use the lookup. I think I can't just go on with an |lookup command after the tstats by commant correct?
because I do't get any results when I try this:
<base search with tstats> | lookup lu_cisco_umbrella_top_1_million domain as ut_domain output domain as cisco_umbrella_domain | lookup lu_majestic_top_1_million domain as ut_domain output domain as majestic_domain | search cisco_umbrella_domain=no_matches AND majestic_domain=no_matches