Splunk Search

Match value from lookup table to values of specific fields

onkarkore1
Explorer

Hi,

How to match lookup table of ip addresses with the existing field value of host_ip

I want to display IP addresses as a search result once it matches the value from the lookup file with the existing field host_ip addresses based on event code.

I have a list of sensitive server's IP addresses in lookup file .csv Now I would like to match IP address with the existing field host_ip based on specified event code and want to display matched IP's as a search result.

Thanks

0 Karma

mayurr98
Super Champion

hey @onkarkore1

Take a look at the documentation of lookup command.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Lookup

As per your question, you have host_ip field in raw data and let suppose you have IP field and Event_Code in lookup csv.

So run below search in order to get matched_ip's as mentioned in your question.

<base_search> 
| lookup mylookup.csv IP as "host_ip" OUTPUT Event_Code 
| search Event_Code=* 
| dedup host_ip 
| table host_ip 
| rename host_ip as "Matched Host IP's"

Let me know if this helps!

onkarkore1
Explorer

Hi Mayur,

Thanks for your response, As per my question I have a src field in raw data and I have a server_ip column (only one column) in csv lookup

Now I would like to configure the search query which will return the list of servers matching from lookup table to raw_field's servers value based on the given Event_Code.

I will be thankful if you can suggest here.

Thanks,

0 Karma

mayurr98
Super Champion

As there is only one column in csv. You can not match based on event code as there is no relevance of event code.
However you can still match host ips.

index=<your_index> [ | inputlookup mylookup.csv | dedup server_ip | table server_ip | rename server_ip as src ] | stats count by src | table src

If this does not work then try this

index=<your_index> | dedup src | table src |join src [| inputlookup mylookup.csv | dedup server_ip | rename server_ip as src ]

Let me know if this helps !

0 Karma

493669
Super Champion

@onkarkore1

lookup <lookup-table-name> <lookup-field1> AS <local-field1> OUTPUTNEW <lookup-destfield1> AS <local-destfield1>, <lookup-destfield2> AS <local-destfield2>

the only thing you must be aware of, is that the local-field should exists if you use it in a lookup. mention lookup field name which you are matching with event code

<base_search>|lookup lookup.csv  ip AS host_ip OUTPUTNEW ip_address

here I assume lookup field name as ip to match with host_ip in event and ip_address as field in lookup to display server's IP addresses ..so change field name as per your requirement

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...