How to display matching lookup definitions in a s...

thipsz · ‎03-05-2013

Is there a way to display lookup definition name or lookup table file name that contains matching value in a search?
Example of query:
source=syslog | dedup src,dst | lookup listA ip_address as dst OUTPUTNEW | lookup listB ip_address as dst OUTPUTNEW | where isbad="true" | table device, src, dst

Expected result:
device src dst listA
device src dst listB
device src dst listA
device src dst listA
...etc

lguinn2 · ‎03-06-2013

The only way I can think of to do this, is to add a column to each list. For example:

listA.csv

ip_address,device,listNameA 192.188.17.252,xyz,listA

listB.csv

ip_address,isBad,listNameB 192.188.17.252,true,listB

Then your search would be

source=syslog | dedup src,dst 
| lookup listA ip_address as dst OUTPUTNEW
| lookup listB ip_address as dst OUTPUTNEW 
| where isbad="true" 
| eval listName = listNameA + listNameB
| table device, src, dst, listName

Notice if both lookups work, you could get a listName output that is listAlistB. And of course, I am completely making up where the fields are stored in the lookup tables...

More info would help make a better answer.

thipsz · ‎03-06-2013

syslog contains src and dst fields with IP address as value. The goal is to identify src that talks to dst matching any of the IPs in the two lists. The query works as intended, but it would be also nice to know which list contains matching dst IP.
This is being taken from getwatchlist app.

How to display matching lookup definitions in a search

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!