How can I setup a lookup table based off of siteco...

jmartelon · ‎02-08-2018

We have 3 main site-codes in our environment and we are trying to implement a lookup table via Splunk. Here is what we have done so far. We created a Python script for asset discovery that we are running daily. Upon these results, we created a directory to where these results save at, and we created an index and a stanza to monitor these files daily.

The data we receive from the results of the scan we are trying to put into a lookup table for easier searching. Such as

index=vuln_test source=asset_disc 3389_state=open AND cred_success=False 
| lookup site_code, corresponding IP, (and results of the scan)

493669 · ‎02-08-2018

once you have define your lookup then use |outputlookup command to store the results of scan.
try this:

index=vuln_test source=asset_disc 3389_state=open AND cred_success=False|table  site_code, corresponding IP, (and results of the scan)|outputlookup <lookupFileName>

jmartelon · ‎02-09-2018

This is good information, but I'm not entirely sure on how to get this to be able to search

493669 · ‎02-09-2018

for creation of csv type lookup refer:
http://docs.splunk.com/Documentation/SplunkCloud/7.0.0/Knowledge/Usefieldlookupstoaddinformationtoyo...
and how outputlookup works refer:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Outputlookup

How can I setup a lookup table based off of sitecode?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!