Solved: lookup table

splunkyboy2 · ‎09-21-2020

Hi

can anyone help me with a lookup table

i have a 2 column lookup with column headings IPs and URLs, and i want to see if information in either csv field appears in the index data at all

some fields on the csv just have a url, some just have an ip , some both

is there a search string that will search the contents of either column against data held in index

Thanks in advance

Helppppp

splunkyboy2 · ‎09-22-2020

it works using a single column ( match) lookup with the syntax below, thanks for all your help

index="wss_events" sourcetype=symantec:websecurityservice:scwss-poll [| inputlookup "WSSIOC4.csv" | rename match as query | fields query ]

View solution in original post

gcusello · ‎09-21-2020

Hi @splunkyboy2,

you could run something like this:

your_search ([ | inputlookup your_lookup | rename IP AS query | fields query ] OR [ | inputlookup your_lookup | rename URL AS query | fields query ])
| ...

Ciao.

Giuseppe

splunkyboy2 · ‎09-21-2020

Thanks for the reply, im new to splunk, so pardon my silly questions

how would i script a search that compares ether column of the lookup against data in the index using what you sent , would that be

thanks for your help

your_search ([ | inputlookup your_lookup | rename IP AS query | fields query ] OR [ | inputlookup your_lookup | rename URL AS query | fields query ])

gcusello · ‎09-21-2020

Hi @splunkyboy2,

if you rename a field in a subsearch "AS query", you use the results of the subsearch as free text search in the main search and not only in a field as usual.

You have to use two subsearches because you have two columns to use in the search.

Ciao.

Giuseppe

splunkyboy2 · ‎09-21-2020

so is this the search i need to run below ?

gcusello · ‎09-21-2020

hi @splunkyboy2,

yes, try this and see results, to understand if it's Ok or if you have to modify something:

index=myindex ( [ | inputlookup mylookup | rename IPs as query | fields query ] OR [ | inputlookup mylookup | rename URLs as query | fields query ] )

Ciao.

Giuseppe

splunkyboy2 · ‎09-21-2020

i put an ip address i found in my data into the lookup to test the search, but it didnt bring back any results

as i dont really understand the search, its hard to see where its not working i guess

gcusello · ‎09-21-2020

Hi @splunkyboy2,

test the subsearches on by one.

Ciao.

Giuseppe

splunkyboy2 · ‎09-21-2020

i tried breaking it down , but no results

i have made a new lookup with two columns , one called info is a mix of ip addresses and urls, and the second column just has the word match against all fields

i tried the search index=xxxxxxx | inputlookup xxxxx.csv | rename info as query | fields query

should that work if anything in the info field is present in the data ?

gcusello · ‎09-21-2020

Hi @splunkyboy2,

maybe there a representation problem, but you have to use square brackets for subsearches (use Insert/Edit Code Cample for codes):

 index=xxxxxxx [| inputlookup xxxxx.csv | rename info as query | fields query ]
| ...

using only one colums obviously semplify your search.

Ciao.

Giuseppe

splunkyboy2 · ‎09-22-2020

it works using a single column ( match) lookup with the syntax below, thanks for all your help

index="wss_events" sourcetype=symantec:websecurityservice:scwss-poll [| inputlookup "WSSIOC4.csv" | rename match as query | fields query ]

lookup table

lookup

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor