Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

inputlookup compare the field values in my logs with lookup table

nazanin2016
Path Finder
‎12-29-2016 10:00 AM

I am trying to compare the list of ips in my logs with the lookup table (black list) that I have. I need that my search just return the users that have the same ip as ips in the black list.My logic is that
1.Do my search :
2.search in lookuptable
3.return the rows that have the same value for src_ip
I don't know how to connect the value of my search with lookup table?
source=x |table src_user,src_ip |eval ip=src_ip | append [search inputlookup blacklist.csv ] |where src_ip=ip

Tags (2)
0 Karma
Reply

gokadroid
Motivator
‎12-29-2016 07:16 PM
  • Editing response to change the csv name 06/18/2021
    Let's say ip's within the lookup ‘denylist.csv’ are called ‘lookup_ip’ and your csv looks like this:
lookup_ip
1.2.3.4
11.22.33.44
111.222.111.222

The you can use the following command to search these lookup_ip IPs of lookup table in you events where ip is stored in a field called src_ip as follows:

index=yourIndex source=x sourcetype=yourSourcetype [| inputlookup denylist.csv | table lookup_ip | rename lookup_ip as src_ip ]

If you want to avoid searching these denylist IPs then try:

index=yourIndex source=x sourcetype=yourSourcetype NOT ( [| inputlookup denylist.csv | table lookup_ip | rename lookup_ip as src_ip ] )

If the ip within your events is stored in some other field than src_ip then just rename the lookup_ip to that field in | rename lookup_ip as src_ip part of the above commands.

Reply

nazanin2016
Path Finder
‎01-09-2017 12:40 PM

Thanks, I also tried
my search |table src_user,src_ip | iplocation src_ip|dedup src_user

,src_ip | search [inputlookup blacklist.csv ]|stats values(src_ip) by src_user

Imagine if we have another field in the backlist how I can replace its value with the value that I found in my search?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...