Solved: Basic lookup command

clozach · ‎10-14-2019

Hi all,

I am curious the best way to write the following lookup query.

I have a 1 column lookup of firewall rule names. I would like to search our firewall index and use the lookup to determine which firewall rules haven't been used in the last 30 days.

Thanks for your time and help.

somesoni2 · ‎10-14-2019

Try something like this (assuming there is a field firewall_rule available in your firewall data and same field name is used in your single column lookup. )

index=yourFirewallIndex [| inputlookup firewall_rulename.csv | table firewall_rule ]
| stats count by firewall_rule 
| append [| inputlookup firewall_rulename.csv | table firewall_rule | eval count=0]
| stats max(count) as count by firewall_rule | where count=0

View solution in original post

somesoni2 · ‎10-14-2019

Try something like this (assuming there is a field firewall_rule available in your firewall data and same field name is used in your single column lookup. )

index=yourFirewallIndex [| inputlookup firewall_rulename.csv | table firewall_rule ]
| stats count by firewall_rule 
| append [| inputlookup firewall_rulename.csv | table firewall_rule | eval count=0]
| stats max(count) as count by firewall_rule | where count=0

clozach · ‎10-15-2019

Hi somesoni2,

Thanks so much! This worked. I'm not sure how to accept it as an answer since it is a comment, but I appreciate the help. If you re-post as an answer I will mark it as accepted.

Again, thank you 🙂

somesoni2 · ‎10-15-2019

Here you go.

Basic lookup command

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases