Splunk Search

search on each lookup event

samhodgson
Path Finder

Hi All,

I have a lookup containing username,hostname and I also have an assets index storing hostname, mac, ip. Im trying to merge data from the 2 to generate an up-to-date assets lookup for Enterprise Security. So something that will iterate all entries in the lookup and search against the assets index using hostname.

Im not sure how to best go about this, should I be using a subsearch or join or something else? please advise, i've tried playing around with subsearches to no avail so far.

Any help would be greatly appreciated.

Cheers

Sam

0 Karma
1 Solution

horsefez
Motivator

Hi,

how about a lookup command to merge them together?

| lookup yourcsv hostname OUTPUT username

After that you can pipe your results into a new csv file via outputcsv

View solution in original post

horsefez
Motivator

Hi,

how about a lookup command to merge them together?

| lookup yourcsv hostname OUTPUT username

After that you can pipe your results into a new csv file via outputcsv

samhodgson
Path Finder

Hi,

Thanks for your reply. This is what im looking to do but i need to merge data from the assets index into the output too so something like:

inputlookup hosts | [index=assets | table hostname,mac,ip] | [ get mac,ip here from search using hostnames from inputlookup] | output username, hostname, mac ip

Hope this makes sense?

Cheers

Sam

0 Karma

horsefez
Motivator

Hi Sam,
no it really doesn't make much sense, but I'm trying to suggest something.

index=assets | fields hostname, mac, ip | lookup yourlookupcsv hostname OUTPUT username | table username, hostname, mac, ip

samhodgson
Path Finder

Hi Pyro,

I think this might be close to what I want! it isn't quite working yet but will play around with it, many thanks I think this may have put me on the right track. Will let you know how i get on.

Cheers

Sam

0 Karma

horsefez
Motivator

Good luck on that. 🙂

0 Karma

horsefez
Motivator

@samhodgson did you had any luck with that or do you need any further help?

0 Karma

samhodgson
Path Finder

Hi Pyro,

Thanks for coming back to me on this - i've just got back into the office today and managed to get it working 🙂

Thanks for your help!

Sam

0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...