Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

lookup table to open search and return field name of match

DEAD_BEEF
Builder
‎07-27-2018 01:46 PM

I have a .csv file of assets in our network (~850 IP addresses). I want to search all my Splunk logs in open text and return a table which lists the address along with the index, sourcetype, and field where that match appeared. Is this even possible?

query would return:

ip_address    index    sourcetype    field
1.2.3.4.      windows  dns           src_ip
              windows  db            dst_ip
              web      west_coast    dest_ip
2.3.4.5       linux    ps            source_ip
0 Karma
Reply

DalJeanis
Legend
‎07-27-2018 05:46 PM

Yes, and no. This is the kind of thing that splunk can do, that other kinds of databases cannot... but that does not mean that it really SHOULD be done...

You are asking for a very broad search.

As long as your search is so broad, you might as well go all the way. This has to be run verbose or it will not work, so think SMALL in terms of time frame to run it.

 index=* 
| rename COMMENT as "This will kill all records that have NO IP addresses in them"
| regex "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
| rename _time as TIME , _raw as RAW

| rename COMMENT as "This will take each record and make one new record for each field in that record.  BIG EXPAND HERE"
| untable RAW fieldname fieldvalue 

| rename COMMENT as "Turn TIME temporarily into a fake IP address"
| eval _time=case(fieldname="TIME",fieldvalue)
| eval fieldvalue=if(fieldname="TIME","999.999.999.999",fieldvalue)   

| rename COMMENT as "This will filter out all field records that do not include an IP address format, but retain our masked TIME"
| regex "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"

| rename COMMENT as "restore Time"
| eval fieldvalue=if(fieldname="TIME",_time,fieldvalue)   
| eval _time=case(1=2,"nevah")

So, at this point, if our air code is correct, you will have a bunch of records that each has a field name and an IP address. Each record will also contain the full _raw test for the record. This will be important for figuring out what the original record used to be.

You could, at this point, pass those fields past your lookup to further check whether the ip was an IP you wanted. You could also kill any fields that you knew you weren't interested in, such as "host".

Here are additional things you can do with that...

1) summarize it to see what fields there are...

  |  stats count by fieldname

2) Instead of that, put the records back together with only the unfiltered fields remaining... 

  | xyseries RAW fieldname fieldvalue
  | rename TIME as _time, RAW as _raw

3) After putting them back together, run them into the fieldsummary command.

0 Karma
Reply

DEAD_BEEF
Builder
‎07-31-2018 12:00 PM

Yea I know this isn't a regular usage of Splunk but thought I could pull this off. I tried the first part with and without stats at the end for last 60m and got nothing 😕

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...