So I need to run search on a firewall index where I need to look for field values matching from two lookup files, one is src.csv and dst_withsubnets.csv and output corresponding fields
Test SPL from my lab
| makeresults |eval src_ip="1.1.1.1", src_translated_ip="3.3.3.3", dest_ip="192.168.1.1", dest_port=443, action="drop"
| join src_ip
[| inputlookup src.csv
| rename src AS src_ip]
| join dest_ip
[| inputlookup dst_withsubnets.csv
| rename dst AS dest_ip ]
| table _time, src_ip, src_translated_ip, dest_ip, dest_port, action
src.csv
1.1.1.1
dst_withsubnets.csv
dst
192.168.1.0/24
As you can notice, the SPL is searching for dest_ip in a lookup that only has destination subnets. To make it work, I have also added following transforms.conf
[dst_withsubnets]
filename = dst_withsubnets.csv
match_type = CIDR(dst)
max_matches = 1
However, its still not working
So, if you're looking to use the lookup addresses as constraints, then you can use the src.csv as a subsearch, so
<your_search> [ | inputlookup src.csv | rename src as src_ip | fields src_ip ]
which will filter your search. For the CIDR one, you can use the lookup, but do this
| lookup dst_withsubnets dst as dest_ip OUTPUT dst as dst_match
| where isnotnull(dst_match)
which will output the found addresses to a new field, dst_match and then you can check that it has found a match with the where clause.
The way to use lookups is not the way you are doing it. Use the lookup command not join/inputlookup
| makeresults
| eval src_ip="1.1.1.1", src_translated_ip="3.3.3.3", dest_ip="192.168.1.1", dest_port=443, action="drop"
| lookup src.csv src as src_ip
| lookup dst_withsubnets dst as dest_ip
| table _time, src_ip, src_translated_ip, dest_ip, dest_port, action
As for the CIDR variant - that comes from the lookup definition dst_withsubnets - NOT the csv file, so will never work with inputlookup/join anyway.
@bowesmana I tried your suggestion but getting below error
Error in 'lookup' command: All of the fields in the lookup table are specified as lookups, leaving no destination fields.
Below is the screenshot
So, if you're looking to use the lookup addresses as constraints, then you can use the src.csv as a subsearch, so
<your_search> [ | inputlookup src.csv | rename src as src_ip | fields src_ip ]
which will filter your search. For the CIDR one, you can use the lookup, but do this
| lookup dst_withsubnets dst as dest_ip OUTPUT dst as dst_match
| where isnotnull(dst_match)
which will output the found addresses to a new field, dst_match and then you can check that it has found a match with the where clause.
@bowesmana I want not only the src lookup but the dest lookup with subnets also to act as constraint for that search.
So, should I do it this way?
<your_search> [ | inputlookup src.csv | rename src as src_ip | fields src_ip ]
[| lookup dst_withsubnets dst as dest_ip OUTPUT dst as dst_match
| where isnotnull(dst_match)]
| table _time, src_ip, src_translated_ip, dest_ip, dest_port, action
or without the [] for dest_withsubnets
<your_search> [ | inputlookup src.csv | rename src as src_ip | fields src_ip ]
| lookup dst_withsubnets dst as dest_ip OUTPUT dst as dst_match
| where isnotnull(dst_match)
| table _time, src_ip, src_translated_ip, dest_ip, dest_port, action
Tried both methods, none worked unfortunately.
Thanks @bowesmana !!! Really appreciate your help!
Below SPL worked for me
<your_search> [ | inputlookup src.csv | rename src as src_ip | fields src_ip ]
| lookup dst_withsubnets dst as dest_ip OUTPUT dst as dst_match
| where isnotnull(dst_match)
| table _time, src_ip, src_translated_ip, dest_ip, dest_port, action