Splunk Search

How to display matching lookup definitions in a search

thipsz
Explorer

Is there a way to display lookup definition name or lookup table file name that contains matching value in a search?
Example of query:
source=syslog | dedup src,dst | lookup listA ip_address as dst OUTPUTNEW | lookup listB ip_address as dst OUTPUTNEW | where isbad="true" | table device, src, dst

Expected result:
device src dst listA
device src dst listB
device src dst listA
device src dst listA
...etc

Tags (1)
0 Karma

lguinn2
Legend

The only way I can think of to do this, is to add a column to each list. For example:

listA.csv

ip_address,device,listNameA
192.188.17.252,xyz,listA

listB.csv

ip_address,isBad,listNameB
192.188.17.252,true,listB

Then your search would be

source=syslog | dedup src,dst 
| lookup listA ip_address as dst OUTPUTNEW
| lookup listB ip_address as dst OUTPUTNEW 
| where isbad="true" 
| eval listName = listNameA + listNameB
| table device, src, dst, listName

Notice if both lookups work, you could get a listName output that is listAlistB. And of course, I am completely making up where the fields are stored in the lookup tables...

More info would help make a better answer.

0 Karma

thipsz
Explorer

syslog contains src and dst fields with IP address as value. The goal is to identify src that talks to dst matching any of the IPs in the two lists. The query works as intended, but it would be also nice to know which list contains matching dst IP.
This is being taken from getwatchlist app.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...