Splunk Search

lookup table

splunkyboy2
Explorer

Hi

 

can anyone help me with a lookup table

i have a 2 column lookup with column headings IPs and URLs, and i want to see if information in either csv field appears in the index data at all

some fields on the csv just have a url, some just have an ip , some both

is there a search string that will search the contents of either column against data held in index

Thanks in advance

Helppppp

Labels (1)
Tags (1)
1 Solution

splunkyboy2
Explorer

it works using a single column ( match) lookup with the syntax below, thanks for all your help

index="wss_events" sourcetype=symantec:websecurityservice:scwss-poll  [| inputlookup "WSSIOC4.csv" | rename match as query | fields query ]

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @splunkyboy2,

you could run something like this:

your_search ([ | inputlookup your_lookup | rename IP AS query | fields query ] OR [ | inputlookup your_lookup | rename URL AS query | fields query ])
| ...

Ciao.

Giuseppe

splunkyboy2
Explorer

Thanks for the reply, im new to splunk, so pardon my silly questions

how would i script a search that compares ether column of the lookup against data in the index using what you sent , would that be

index=myindex ( [  | inputlookup my lookup | rename IPs as query | fields query ] OR [ | inputlookup my lookup | rename URLs as query | fields query ] )

thanks for your help

your_search ([ | inputlookup your_lookup | rename IP AS query | fields query ] OR [ | inputlookup your_lookup | rename URL AS query | fields query ])

 

Tags (1)

gcusello
SplunkTrust
SplunkTrust

Hi @splunkyboy2,

if you rename a field in a subsearch  "AS query", you use the results of the subsearch as free text search in the main search and not only in a field as usual.

You have to use two subsearches because you have two columns to use in the search.

Ciao.

Giuseppe

splunkyboy2
Explorer

so is this the search i need to run below ?

index=myindex ( [ | inputlookup my lookup | rename IPs as query | fields query ] OR [ | inputlookup my lookup | rename URLs as query | fields query ] )

gcusello
SplunkTrust
SplunkTrust

hi @splunkyboy2,

yes, try this and see results, to understand if it's Ok or if you have to modify something:

index=myindex ( [ | inputlookup mylookup | rename IPs as query | fields query ] OR [ | inputlookup mylookup | rename URLs as query | fields query ] )

Ciao.

Giuseppe

splunkyboy2
Explorer

i put an ip address i found in my data into the lookup to test the search, but it didnt bring back any results

as i dont really understand the search, its hard to see where its not working i guess

gcusello
SplunkTrust
SplunkTrust

Hi @splunkyboy2,

test the subsearches on by one.

Ciao.

Giuseppe

splunkyboy2
Explorer

i tried breaking it down , but no results

 

i have made a new lookup with two columns  , one called info is a mix of ip addresses and urls, and the second column just has the word match against all fields

i tried the search index=xxxxxxx | inputlookup xxxxx.csv | rename info as query | fields query

should that work if anything in the info field is present in the data ?

gcusello
SplunkTrust
SplunkTrust

Hi @splunkyboy2,

maybe there a representation problem, but you have to use square brackets for subsearches (use Insert/Edit Code Cample for codes):

 

 index=xxxxxxx [| inputlookup xxxxx.csv | rename info as query | fields query ]
| ...

 

using only one colums obviously semplify your search.

Ciao.

Giuseppe

splunkyboy2
Explorer

it works using a single column ( match) lookup with the syntax below, thanks for all your help

index="wss_events" sourcetype=symantec:websecurityservice:scwss-poll  [| inputlookup "WSSIOC4.csv" | rename match as query | fields query ]

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...