inputlookup compare the field values in my logs wi...

nazanin2016 · ‎12-29-2016

I am trying to compare the list of ips in my logs with the lookup table (black list) that I have. I need that my search just return the users that have the same ip as ips in the black list.My logic is that
1.Do my search :
2.search in lookuptable
3.return the rows that have the same value for src_ip
I don't know how to connect the value of my search with lookup table?
source=x |table src_user,src_ip |eval ip=src_ip | append [search inputlookup blacklist.csv ] |where src_ip=ip

gokadroid · ‎12-29-2016

Editing response to change the csv name 06/18/2021
Let's say ip's within the lookup ‘denylist.csv’ are called ‘lookup_ip’ and your csv looks like this:

lookup_ip
1.2.3.4
11.22.33.44
111.222.111.222

The you can use the following command to search these lookup_ip IPs of lookup table in you events where ip is stored in a field called src_ip as follows:

index=yourIndex source=x sourcetype=yourSourcetype [| inputlookup denylist.csv | table lookup_ip | rename lookup_ip as src_ip ]

If you want to avoid searching these denylist IPs then try:

index=yourIndex source=x sourcetype=yourSourcetype NOT ( [| inputlookup denylist.csv | table lookup_ip | rename lookup_ip as src_ip ] )

If the ip within your events is stored in some other field than src_ip then just rename the lookup_ip to that field in | rename lookup_ip as src_ip part of the above commands.

nazanin2016 · ‎01-09-2017

Thanks, I also tried
my search |table src_user,src_ip | iplocation src_ip|dedup src_user

,src_ip | search [inputlookup blacklist.csv ]|stats values(src_ip) by src_user

Imagine if we have another field in the backlist how I can replace its value with the value that I found in my search?

inputlookup compare the field values in my logs with lookup table

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!