Is there a way to display lookup definition name or lookup table file name that contains matching value in a search?
Example of query:
source=syslog | dedup src,dst | lookup listA ip_address as dst OUTPUTNEW | lookup listB ip_address as dst OUTPUTNEW | where isbad="true" | table device, src, dst
Expected result:
device src dst listA
device src dst listB
device src dst listA
device src dst listA
...etc
The only way I can think of to do this, is to add a column to each list. For example:
listA.csv
ip_address,device,listNameA
192.188.17.252,xyz,listA
listB.csv
ip_address,isBad,listNameB
192.188.17.252,true,listB
Then your search would be
source=syslog | dedup src,dst
| lookup listA ip_address as dst OUTPUTNEW
| lookup listB ip_address as dst OUTPUTNEW
| where isbad="true"
| eval listName = listNameA + listNameB
| table device, src, dst, listName
Notice if both lookups work, you could get a listName output that is listAlistB
. And of course, I am completely making up where the fields are stored in the lookup tables...
More info would help make a better answer.
syslog contains src and dst fields with IP address as value. The goal is to identify src that talks to dst matching any of the IPs in the two lists. The query works as intended, but it would be also nice to know which list contains matching dst IP.
This is being taken from getwatchlist app.