Currently i am populating my summary index with a list of malware listed ips with
index=blah OR index=blah2 OR index=blah3 NOT uri="/dot_clear.gif" [ | inputlookup watchlist_ip_lookup
| rename watch_ip as clientip | fields + clientip ]
| dedup clientip
| lookup ga ip as clientip
| table date_month, date_mday, date_hour, date_minute, date_year, clientip, country, org, status, referer, uri, host, source, sourcetype, index, other
the inputlookup watchlist_ip_lookup.csv file has two columns, the watch_type is optional as sometimes it's blank
watch_ip, watch_type
2.187.19.0, C2
49.244.116.184,
46.63.167.216, C2
.... etc
How would i include the watch_type field in all the results for my summary index?
Will this work?
index=blah OR index=blah2 OR index=blah3 NOT uri="/dot_clear.gif" [ | inputlookup watchlist_ip_lookup
| rename watch_ip as clientip | fields + clientip ]
| dedup clientip
| lookup ga ip as clientip
| lookup watchlist_ip_lookup watch_ip as clientip OUTPUT watch_type
| table date_month, date_mday, date_hour, date_minute, date_year, clientip, country, org, status, referer, uri, host, source, sourcetype, index, other, watch_type
Will this work?
index=blah OR index=blah2 OR index=blah3 NOT uri="/dot_clear.gif" [ | inputlookup watchlist_ip_lookup
| rename watch_ip as clientip | fields + clientip ]
| dedup clientip
| lookup ga ip as clientip
| lookup watchlist_ip_lookup watch_ip as clientip OUTPUT watch_type
| table date_month, date_mday, date_hour, date_minute, date_year, clientip, country, org, status, referer, uri, host, source, sourcetype, index, other, watch_type
I have a similar issue however I'm using a dnslookup. I've tried a few variations however, i can't seem to get the dnslookup result to appear on the table.
index=xxx sourcetype="WinEventLog:Security" "EventCode=644" OR "EventCode=4740"
| eval Win2K8_acc= mvindex(Account_Name,1)
| eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name)
| dnslookup forward ComputerName Client_Address
| table account_domain account_name ComputerName Caller_Computer_Name Client_Address
In the above example, the "Client_Address" field is ooming up blank. Any ideas? thanks in advance!
@sadkha - the syntax is wrong for your lookup in the fourth line. Here is a link to the lookup command. So I think that what you want might be:
| lookup dnslookup clientip as Client_Address OUTPUT clienthost as ComputerName
But I am not sure that I know what your field names are...
I was looking for a similar output and the above search worked. Thanks.
Awesome thanks Lisa, that outer lookup was the trick. Its pulling up the extra field from the lookup now.