How do you use OR logic in lookup fields?

tomsterkw · ‎01-02-2019

Hello!

Problem:

Take .csv lookup file and search through an index in order to identify a match, if ipaddress OR username match.

Sample lookup Data:

username, ipaddress, url, protocol, group, severity
tomj, 10.10.10.123, google.com, 80, badguy, 1
bobt, 10.10.10.124, google.com, 443, good, 2
sarat, 10.10.10.121, g.com, 80, good, 2

My query:

index=log_files | lookup table.csv ipaddress as src_ip, url as link OUTPUT group, severity 
| table _Time, src_ip, group, severity

Result

I only get a result when both src_IP AND link from my index match the lookup. But, I want to know if either of these conditions match. For example, when ip 10.10.10.123 OR g.com is visited, I would expect to see group, severity for those two separate records.

How can I use OR logic in my lookup fields instead of AND?

Please let me know if I remain unclear in my request.

Thank you!

woodcock · ‎01-02-2019

You have to do multiple lookups and either use OUTPUTNEW or use a different output name for each one and then use coalesce(name1, name2, name3, ...).

richgalloway · ‎01-02-2019

The lookup command always ANDs the fields used in the lookup. There is no option to OR them. The alternative is to use multiple lookups.

index=log_files | lookup table.csv ipaddress as src_ip OUTPUT group1, severity1 
| lookup table.csv url as link OUTPUT group2, severity2 
| eval group=coalesce(group1, group2), severity=coalesce(severity1, severity2)
| table _Time, src_ip, group, severity

---
If this reply helps you, Karma would be appreciated.

DalJeanis · ‎01-02-2019

@richgalloway - consider OUTPUTNEW

richgalloway · ‎01-02-2019

Forgot about that. Thanks, DalJeanis!

---
If this reply helps you, Karma would be appreciated.