Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to add entry of source ip,host from the search or notable into lookup table

HPACHPANDE
Explorer
‎02-14-2024 06:54 PM

Hello Team,

Required help regarding below points :

1] how to add entry of  the ran search with the fields Host, SourceIP and DestinationIP into lookup table.

2] how to add entry into lookup table from the notable triggered or contributing events of the notable.

 

Requirement here is that need to create co relation rule from the lookup values which will be taking from previously triggered notables.

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-14-2024 10:57 PM

Hi @HPACHPANDE ,

you have to save the results of your search in a lookup using the outputlookup command (https://docs.splunk.com/Documentation/Splunk/9.2.0/SearchReference/Outputlookup).

the fields to save in the lookup depends on your search.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...