Solved: Search for ip in lookup based on system alias in c...

Trusty · ‎04-24-2024

Helo

I have a search query like this: index=test dscip=192.168.1.1 OR dscip=192.168.1.2 ...

I would like to search this list of ip based on system-alias in my lookup

This is my sample lookup.csv:

system-alias	system-ip
prod	192.168.1.1
dev	192.168.2.2
prod	192.168.1.2

so what a search query should look like if i want to serach only for prod ip`s ?

P

renjith_nair · ‎04-24-2024

@Trusty
You can use the lookup to enrich the dataset and then filter based on the value

|makeresults |eval dscip="192.168.1.1 192.168.2.2 192.168.1.2"|makemv dscip| mvexpand dscip
|rename comment as "Above is just data generation"
|lookup lookup.csv system-ip as dscip OUTPUT system-alias as env
|where env = "prod"

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎04-24-2024

@Trusty
You can use the lookup to enrich the dataset and then filter based on the value

|makeresults |eval dscip="192.168.1.1 192.168.2.2 192.168.1.2"|makemv dscip| mvexpand dscip
|rename comment as "Above is just data generation"
|lookup lookup.csv system-ip as dscip OUTPUT system-alias as env
|where env = "prod"

---
What goes around comes around. If it helps, hit it with Karma 🙂

Trusty · ‎04-25-2024

It works, I have an IP list based on the specified system name (prod etc). Now how can I associate this list with a search?
So that the list of IPs displayed by this query can be attached to dscip
| search sourcetype="new" DstIP=(list of above ip)

Search for ip in lookup based on system alias in csv

CSV

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!