- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is there a way for a query to take a value from lo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a way for a query to take a value from lookup table and if it has a match it record down the value and continue the next search?
Hi,
Is there a way for a query to take a value from lookup table and if it has a match it record down the value and continue the next search?
for example I have a group of CIDR in a lookup csv, I want search IPs in log if there is one IP in the specified CIDR range then record down the CIDR then continue search if there is a IP falls in the next CIDR, if not pass to the next CIRD. At the end of search I should have all CIDR that have IPs in the log.
index=network status=404 [|inputlookup CIDR.csv|rename CIDR as src_ip|table src_ip]
the above query will have matches but I want to know which CIDR has the match?
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to use your CIDR lookup as filter (what you've right now) to capture only the relevant record and then as lookup to enrich your data with matching CIDR. To achieve that, you first need to create a lookup definition from your lookup table file CIDR.csv which can do a CIDR match. You can follow steps from below post to setup your lookup definition. There is an optional step provided in this post for automatic lookup but you can exclude that (just use the transforms.conf changes).
https://answers.splunk.com/answers/5916/using-cidr-in-a-lookup-table.html
Once you've the lookup definition, say CIDR setup, use search like this. which will give list of CIDR which have IP's in the log and corresponding count of distinct IPs that are match.
index=network status=404 [|inputlookup CIDR|rename CIDR as src_ip|table src_ip]
| lookup CIDR CIDR as src_ip OUTPUT CIDR | stats dc(src_ip) as src_ip_count by CIDR
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to do a lookup, I wouldn't use the inputlookup command.
Assume that the source data has a field named "ip" that contains the IP address, and that the CIDR.csv contains a single field named CIDR. Also, assume that there is a lookup named "cidr_lookup" - this lookup should allow multiple lookup results (which) is the default. Of course, it should be set for CIDR-matching. Now your search can be
index=network status=404
| lookup cidr_lookup ip as CIDR output CIDR
| stats list(CIDR) as "CIDR list" by ip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the values in CIDR.csv were "001.001.001.001.001" and "002.002.002.002", then your code...
index=network status=404 [|inputlookup CIDR.csv|rename CIDR as src_ip|table src_ip]
...is translated by splunk's implicit format command to a search that looks like this...
index=network status=404 ( (src_ip="001.001.001.001.001" ) OR ( src_ip="002.002.002.002") )
... and so the answer is, for that query, the matched value is found in the src_ip field.
You can read more about the format command here - https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Format.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
