1 search, 2 sourcetypes, 1 lookup file

mcm10285 · ‎02-21-2013

Is it possible to use one lookup table for 2 sourcetypes in a single search? For example, lookup.csv contains IP and Category. I would like to alert on IPs matching the lookup.csv from cisco firewalls (e.g. sourcetype=asa, match with field "dest_ip") and proxy gateways (sourcetype=bcoat, match with field "dst"). Assumption is there are no similar fields between the two sourcetypes.

sourcetype=asa OR sourcetype=bcoat[|inputlookup lookup.csv..........]

lguinn2 · ‎02-21-2013

Use the rename command to make the fields the same name, or use eval to create the appropriate key.

I am not sure why you are using the inputlookup command however. For inputlookup, there is no key.

sourcetype=asa OR sourcetype=bcoat
| rename dest_ip as IP, dst as IP
| lookup ip_lookup IP

I don't think you can simply refer to the lookup.csv file in the lookup command. In my example, I assumed that you defined a lookup called ip_lookup.

stefano_guidoba · ‎02-21-2013

You could try entering the lookup 2 times like this:

sourcetype=asa OR sourcetype=bcoat | lookup lookup.csv IP as dest_ip OUTPUT Category | lookup lookup.csv IP as dst OUTPUT Category | ...

However, I suggest you override sourcetype definitions in order to extract two fields with the same name (say, dest_ip). This way you can "enter" the lookup only one time. Also, you can configure an automatic lookup for these sourcetypes, so when you search for

sourcetype=asa OR sourcetype=bcoat

automatically you have one new field named Category.
Regards,
Stefano

1 search, 2 sourcetypes, 1 lookup file

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!