Solved: How to match my search with a lookup?

kiran331 · ‎09-30-2016

Hi

I want to match the search with lookup file. I have a lookup with host names. i have to match with windows data for the last login on asset. how can i match lookup file?

search i'm using:

eventtype=windows_logon_success src_ip=* src_nt_host=* user!="*$"|rename src_nt_host as Name [|inputlookup asset_list.csv|table Name] | table Name _time

somesoni2 · ‎09-30-2016

Try like this (gets the last logon time from windows logon data, for each hosts available in Lookup file)

eventtype=windows_logon_success src_ip=* [|inputlookup asset_list.csv|table Name | rename Name as src_nt_host ] user!="*$" | dedup src_nt_host  |rename src_nt_host as Name  | table Name _time

Update*

For summary data

| tstats summariesonly count from datamodel=Authentication.Authentication where * by _time,Authentication.src span=1h | drop_dm_object_name("Authentication") | search  [|inputlookup asset.csv | table Name | rename Name AS src ]| dedup src| table _time src

OR

| tstats summariesonly count from datamodel=Authentication.Authentication where  [|inputlookup asset.csv | table Name | rename Name AS "Authentication.src"] by _time,Authentication.src span=1h | drop_dm_object_name("Authentication") | dedup src| table _time src

View solution in original post

somesoni2 · ‎09-30-2016

Try like this (gets the last logon time from windows logon data, for each hosts available in Lookup file)

eventtype=windows_logon_success src_ip=* [|inputlookup asset_list.csv|table Name | rename Name as src_nt_host ] user!="*$" | dedup src_nt_host  |rename src_nt_host as Name  | table Name _time

Update*

For summary data

| tstats summariesonly count from datamodel=Authentication.Authentication where * by _time,Authentication.src span=1h | drop_dm_object_name("Authentication") | search  [|inputlookup asset.csv | table Name | rename Name AS src ]| dedup src| table _time src

OR

| tstats summariesonly count from datamodel=Authentication.Authentication where  [|inputlookup asset.csv | table Name | rename Name AS "Authentication.src"] by _time,Authentication.src span=1h | drop_dm_object_name("Authentication") | dedup src| table _time src

kiran331 · ‎09-30-2016

As search is taking too long, Is it possible to match lookup with Summary data?
query i'm trying:

somesoni2 · ‎09-30-2016

Try the updated answer(s).

sundareshr · ‎09-30-2016

I think this is what you're looking for. Let me know if this doesn't work

eventtype=windows_logon_success [|inputlookup asset_list.csv | table Name | rename Name AS src_nt_host ] | stats latest(src_nt_host) as Name latest(_time) as Time | eval Time=strftime(Time, "%c%) | table Time Name

How to match my search with a lookup?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM