Lookup table to a lookup table. Examples please......

TheMarkHodgkins · ‎11-09-2011

Pardon my newbie'ness 😆

Does anyone have an example where Search results are matched to table entries (simple CSV should be fine) - but then are matched (counted) to a further table entry, e.g.

Search results generate a count respectively of items from the lookup table like.

a). Restricted application
b). host-sweep
c). read-exposure
d). privileged access
e). protocol violation
f). code execution
g). buffer overflow
h). dos
i). statistical deviation
j). remote access
k). restriced access
l). service sweep
m). write exposure
n). port-scan
o). arbitrary command execution
etc

But then those being further broken down against a further lookup table to make a more consolidated count of : -

a). Policy Violation.
b). Reconaissance attacks
c). Exploit
d). Volume DOS
e). Malware.

Hope that clear and you can see my problem 😆

Thanks

Mark

_d_ · ‎11-09-2011

You can have a lookup table as such:

input_field, attack_type, attack_family

field1, Restricted application, Policy Violation

field13, privileged access, Policy Violation

field2, host sweep, Reconaissance attacks

field3, service sweep, Reconaissance attacks

field4, port scan, Reconaissance attacks

Then, you can do lookups on (and run stats to get counts of) both, the attack_type and attack_family.

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

Lookup table to a lookup table. Examples please.....

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM