Solved: How would I use lookup in this search?

faiq1999 · ‎06-02-2023

Hi everyone, I created a CSV lookup that has one column named "IP" which contains public IP list, and now I want to use these values inside my searches. For instance when I try to search incoming traffic to our firewall then I want to use the lookup's values in the dest_ip field for my base search. Could you help me, please?

yuanliu · ‎06-02-2023

If by "use the lookup's values in the dest_ip field for my base search" you mean you want to discard any event in which dest_ip does not match any value of IP in the lookup, this is how to do it with a subsearch:

sourcetype = my_firewall_log
  [| inputlookup my_lookup.csv
  | rename IP as dest_ip]

View solution in original post

faiq1999 · ‎06-04-2023

Thank you both

yuanliu · ‎06-02-2023

If by "use the lookup's values in the dest_ip field for my base search" you mean you want to discard any event in which dest_ip does not match any value of IP in the lookup, this is how to do it with a subsearch:

sourcetype = my_firewall_log
  [| inputlookup my_lookup.csv
  | rename IP as dest_ip]

gcusello · ‎06-02-2023

Hi @faiq1999,

You have two solutions:

one more performant, that requires that you have to identify the fields for searching (e.g. src_ip, dst_ip) and create a calculated field or insert it in the search (the calculated field is more performat!)

index=your_index
| eval IP=coalesce(src_ip,dst_ip)
| search [ | inputlookup your_lookup.csv | fields IP ]

the second solution is easier but less performant:

index=your_index [ | inputlookup your_lookup.csv | rename IP AS query | fields query ]

because it performs a full text search.

Ciao.

Giuseppe

How would I use lookup in this search?

lookup

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)