I am trying to use a wildcard based lookup table as part of a query that will get all non-wildcard based values so that I can use them in a real lookup.
My company maintains 100+ firewalls, sometimes more. All the firewalls send traffic logs to Splunk. I would like to be able to break down the traffic logs into locations without having to know every single firewall name, so I created a lookup table that looks something like this
firewalls.csv
description, location, search_name, monitored
testFW1, location1, fw-loc1-*, Y
testFW2, location2, fw-loc2-*, Y
testFWsub2, location2, fw-branch*-loc3-*, Y
If it were not for the fact that I need a wildcard in the middle of the string to find my lookup data, I could just ask my admin to change some .conf file so that my csv could do wildcard lookups.
I solved this by searching for values and then aggregating on the wildcard value, like this
|inputlookup firewalls.csv
| map maxsearches=20 search="|tstats prestats=t values(host) where index=pan_logs host=$dvc$ | stats values(host) as host | eval dvc=$dvc$"
| append [|inputlookup firewalls.csv] | append [|inputlookup firwalls_lookup.csv]
| stats values(host) as host first(loc) as loc first(monitored) as monitored first(note) as note by dvc
|outputlookup firewalls_lookup.csv
Now I can use the hosts values in a lookup
index=pan_logs | head 10 | lookup firewalls_lookup.csv host | table src_ip dest_ip host location monitored
This seems like a lot of work though. Basically, I am using a csv to create a legit lookup table (would probably run this nightly).
Is there a better approach?