I have a field named HASH which contains hash values and I would like to compare it to md5 and sha256 (name of the other 2 fields) in another index. I am trying to compare in Automatic Lookups, and the input fields in the automatic lookups have the HASH field name as my input value to compare against md5 and sha256.
Any suggestions ?
Hi ashishlal82,
create an eval
based calculated field http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/definecalcfields for the sourcetype of the events that contain the md5
and/or sha256
fields. The eval you could use for the calculated field could be this:
EVAL-HASH = coalesce(HASH, md5, sha256)
the eval
will either use the value of HASH
or md5
or sha256
for the calculated field called HASH
. Apply the automatic lookup on the field HASH
and should provide the result.
Hope this helps ...
cheers, MuS
Update:
If the calculated field approach is not doable for you try this search:
your base search here to get md5 OR sha256
| eval HASH = coalesce(HASH, md5, sha256)
| lookup YourLookupNameHere HASH | do more ....
I am not sure if I followed you.
Again, I have a .csv file with columns HASH, allow_or_deny, hash_type as lookup input and I am comparing HASH in the .csv file with another datasource which has data fields as md5 and sha256. I cannot use automatic lookup, since I am trying to accomplish one(HASH) to many comparision(md5 and sha256) . is this is do able? any other solution that would work?
Update ping for the answer
your base search here to get md5 OR sha256
| eval HASH = coalesce(HASH, md5, sha256)
| lookup YourLookupNameHere HASH | do more ....
I am using md5 and sha256 as one of the comparing field in the automatic lookup
so my automatic lookup looks like
hash = sha256
hash = md5
Output all "allow" and "deny" if satisfy the equation
Did you read the link provide about the calculated fields? This is one way to go for you....