Splunk Search

Whitelisting using lookups

lemikg
Communicator

Hi,

I don't know if this is the right way to do it, but I have a list of COMMANDS which I have associated a Classification (name).

This search gives me a table with PID, COMMAND count and Classification and some of those results in the field Classification have blanks in it.

sourcetype=top COMMAND | multikv | rex field=COMMAND "^(?.+?)\/" | rex field=COMMAND "^(?.+?)_" | dedup COMMAND | stats count by PID, COMMAND | lookup command_lookup.csv COMMAND AS COMMAND OUTPUT Classification AS Classification | eval Classification=if(isnull(Classification),command_lookup.csv,Classification)
What I am trying is to let Splunk write "NULL" in that field if it doesn't find a match in the lookup file.
Or maybe the search query is just wrong.

Can anybody help me here?

thanks in advance.

regards
Mike

1 Solution

dwaddle
SplunkTrust
SplunkTrust

Well, if I understand the question properly, your goal is to have a lookup table return a default value if the key does not exist in the lookup. One way to accomplish this is by defining the lookup in transforms.conf and setting a default match there. A stanza similar to this should do it.

[command_lookup]
filename=command_lookup.csv
min_matches = 1
default_match = NULL

Now your lookup command in your search changes to:

... | lookup command_lookup COMMAND AS COMMAND OUTPUT Classification AS Classification 

Since the stanza defines the filename


One approach for post-processing exclusively in the search language is eval and its coalesce command. You can do something like this:

| eval Classification=coalesce(Classification,'NULL')

The coalesce command returns the first non-empty value among its arguments.

View solution in original post

0 Karma

dwaddle
SplunkTrust
SplunkTrust

Well, if I understand the question properly, your goal is to have a lookup table return a default value if the key does not exist in the lookup. One way to accomplish this is by defining the lookup in transforms.conf and setting a default match there. A stanza similar to this should do it.

[command_lookup]
filename=command_lookup.csv
min_matches = 1
default_match = NULL

Now your lookup command in your search changes to:

... | lookup command_lookup COMMAND AS COMMAND OUTPUT Classification AS Classification 

Since the stanza defines the filename


One approach for post-processing exclusively in the search language is eval and its coalesce command. You can do something like this:

| eval Classification=coalesce(Classification,'NULL')

The coalesce command returns the first non-empty value among its arguments.

0 Karma

lguinn2
Legend

Here is a tutorial on how to setup a lookup. It can be done entirely from the Splunk GUI.
http://docs.splunk.com/Documentation/Splunk/latest/Tutorial/Usefieldlookups

lemikg
Communicator

Hi dwaddle, thanks for your feedback. Unfortunately I am not familiar with the stanza setup and in addition to that I have limited access (web interface only).

I would appreciate a search command solution.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...