- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a lookup search for matching 2 field...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create a lookup search for matching 2 fields?
I have 2 devices: fw and waf. I want to make a lookup, my lookup file is mal_ip that has 4 fields :
mal_ip category product,port
1.1.1.1 mal_ip firewall 443
I want to say where src=mal_ip show category, the Common field is product and port.
My query is :
index=fw OR index=waf [ |inputlookup mal_ip | where src=mal_ip| fields category,mal_ip,product,port]|stats count by src category
But it doesn't match any fields, can you tell me what can I do?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This assumes that your lookup file is referenced by a lookup definition called mal_ip (if not, replace the first mal_ip value with the correct lookup definition or lookup file😞
index=fw OR index=waf
| lookup mal_ip mal_ip AS src product port OUTPUT category
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Badoomi,
You're using the lookup in the wrong way to achieve your results. @richgalloway is almost right in his answer:
index=fw OR index=waf | lookup mal_ip mal_ip as src OUTPUT category product port | stats count by src category
However, if you want to match more than src, and you need to check the product and the port as well it would be written as follows:
index=fw OR index=waf
| lookup mal_ip mal_ip as src product as product port as port OUTPUT category
| stats count by src category
This will match against src, product, and port. But product and port have to be extracted/defined before using the | lookup in that search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it doesn't work and show me this error:
Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You'll need to make sure that both the lookup table (CSV file) AND the definition are created.
Please refer to this:
https://docs.splunk.com/Documentation/SplunkCloud/7.2.4/Knowledge/LookupexampleinSplunkWeb
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Recall that subsearches run before the main search. Therefore, |inputlookup mal_ip | where src=mal_ip| fields category,mal_ip,product,port must return results. Since there is no 'src' field, the query will not return any results. Try the following variation:
index=fw OR index=waf | lookup mal_ip as src | fields category,mal_ip |stats count by src category
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it doesnt work, i want to compare src from my firewall and waf with mal_ip in my lookup file
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make sure the fw and waf indexes are returning events with a field called 'src'. If not, add rename or eval statements to create such a field.
If this reply helps you, Karma would be appreciated.
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
