Splunk Search

search on each lookup event

samhodgson
Path Finder

Hi All,

I have a lookup containing username,hostname and I also have an assets index storing hostname, mac, ip. Im trying to merge data from the 2 to generate an up-to-date assets lookup for Enterprise Security. So something that will iterate all entries in the lookup and search against the assets index using hostname.

Im not sure how to best go about this, should I be using a subsearch or join or something else? please advise, i've tried playing around with subsearches to no avail so far.

Any help would be greatly appreciated.

Cheers

Sam

0 Karma
1 Solution

horsefez
SplunkTrust
SplunkTrust

Hi,

how about a lookup command to merge them together?

| lookup yourcsv hostname OUTPUT username

After that you can pipe your results into a new csv file via outputcsv

View solution in original post

horsefez
SplunkTrust
SplunkTrust

Hi,

how about a lookup command to merge them together?

| lookup yourcsv hostname OUTPUT username

After that you can pipe your results into a new csv file via outputcsv

samhodgson
Path Finder

Hi,

Thanks for your reply. This is what im looking to do but i need to merge data from the assets index into the output too so something like:

inputlookup hosts | [index=assets | table hostname,mac,ip] | [ get mac,ip here from search using hostnames from inputlookup] | output username, hostname, mac ip

Hope this makes sense?

Cheers

Sam

0 Karma

horsefez
SplunkTrust
SplunkTrust

Hi Sam,
no it really doesn't make much sense, but I'm trying to suggest something.

index=assets | fields hostname, mac, ip | lookup yourlookupcsv hostname OUTPUT username | table username, hostname, mac, ip

samhodgson
Path Finder

Hi Pyro,

I think this might be close to what I want! it isn't quite working yet but will play around with it, many thanks I think this may have put me on the right track. Will let you know how i get on.

Cheers

Sam

0 Karma

horsefez
SplunkTrust
SplunkTrust

Good luck on that. 🙂

0 Karma

horsefez
SplunkTrust
SplunkTrust

@samhodgson did you had any luck with that or do you need any further help?

0 Karma

samhodgson
Path Finder

Hi Pyro,

Thanks for coming back to me on this - i've just got back into the office today and managed to get it working 🙂

Thanks for your help!

Sam

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...