How do I get a Splunk conditional lookup command t...

SplunkNewbie18 · ‎12-04-2018

Hi,

My search is based on 3 sources (firewall log, ioc feed macro and lookup table for ioc). To check for any match on ioc for the destip field.

index=firewall
| search [<macro>
| table destip
| format]
| lookup <lookup table> srcip as destip OUTPUT columnA as A
| lookup <lookup table> srcip as destip OUTPUT columnB as B
| table _time, destip, A, B

However, 1 ioc can have multiple row of data in the for column B:

destip-B
1.1.1.1-high  
1.1.1.1-low

Hence, the result of the above SPL will give me:

_time-destip-A-B
<time>-1.1.1.1-<output A>-high low

How do i include a condition to only lookup and match the ioc for only "high" events in column B in the lookup table, to be as below ouput?

_time-destip-A-B
<time>-1.1.1.1-<output A>-high

skoelpin · ‎12-04-2018

I'll be the first to say this.. Your query is going to be painfully slow and will not scale, especially with firewall logs.

Instead, you should lump all 3 sources together like this

(index=firewall sourcetype=...) OR (index=...) 
| stats count by srcip
| lookup

Also, rather than using table, you should use a stats before the lookup for better performance

How do I get a Splunk conditional lookup command to match only specific values?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!