Splunk Search

search on each lookup event

samhodgson
Path Finder

Hi All,

I have a lookup containing username,hostname and I also have an assets index storing hostname, mac, ip. Im trying to merge data from the 2 to generate an up-to-date assets lookup for Enterprise Security. So something that will iterate all entries in the lookup and search against the assets index using hostname.

Im not sure how to best go about this, should I be using a subsearch or join or something else? please advise, i've tried playing around with subsearches to no avail so far.

Any help would be greatly appreciated.

Cheers

Sam

0 Karma
1 Solution

horsefez
Motivator

Hi,

how about a lookup command to merge them together?

| lookup yourcsv hostname OUTPUT username

After that you can pipe your results into a new csv file via outputcsv

View solution in original post

horsefez
Motivator

Hi,

how about a lookup command to merge them together?

| lookup yourcsv hostname OUTPUT username

After that you can pipe your results into a new csv file via outputcsv

samhodgson
Path Finder

Hi,

Thanks for your reply. This is what im looking to do but i need to merge data from the assets index into the output too so something like:

inputlookup hosts | [index=assets | table hostname,mac,ip] | [ get mac,ip here from search using hostnames from inputlookup] | output username, hostname, mac ip

Hope this makes sense?

Cheers

Sam

0 Karma

horsefez
Motivator

Hi Sam,
no it really doesn't make much sense, but I'm trying to suggest something.

index=assets | fields hostname, mac, ip | lookup yourlookupcsv hostname OUTPUT username | table username, hostname, mac, ip

samhodgson
Path Finder

Hi Pyro,

I think this might be close to what I want! it isn't quite working yet but will play around with it, many thanks I think this may have put me on the right track. Will let you know how i get on.

Cheers

Sam

0 Karma

horsefez
Motivator

Good luck on that. 🙂

0 Karma

horsefez
Motivator

@samhodgson did you had any luck with that or do you need any further help?

0 Karma

samhodgson
Path Finder

Hi Pyro,

Thanks for coming back to me on this - i've just got back into the office today and managed to get it working 🙂

Thanks for your help!

Sam

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...