Solved: How to generate a search to compare the value of a...

soesia12 · ‎03-13-2017

Hello!

I'm currently trying to compare the value of a field with a csv table.

I want to compare the destination port (dst_port) with the values of pwhitelist.csv and display the ports that are not included in the csv data.

For example: the csv file consists of the ports 80, 8080, 443 and 8000 want to display all dst_ports that are not 80, 8080, 443 or 8000.

Thanks

jkat54 · ‎03-13-2017

yourBaseSearch NOT [|inputlookup pwhitelist.csv | fields Ports | rename Ports AS dst_port | format]

View solution in original post

jkat54 · ‎03-13-2017

yourBaseSearch NOT [|inputlookup pwhitelist.csv | fields Ports | rename Ports AS dst_port | format]

soesia12 · ‎03-13-2017

Hey!

Doesn't work. It just lists all ports.

In the file there are just a few ports. At the moments it's just for testing.
pwhitelist.csv:

In the file is only one column with the header "Ports".
The values 80,443,8000,8080 are in that column.

jkat54 · ‎03-14-2017

I edited my answer, please try the new version. If dst_port isn't the field name in your index, then change it to the field name you have for the ports in your indexed data.

soesia12 · ‎03-14-2017

thanks so much ! it worked

How to generate a search to compare the value of a field with a CSV table?

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2