How to compare search result with a lookup file

LeandroKopke · ‎06-14-2018

I have a lookup file with the following fields

original_login_name, client_net_address and Datase_Name
I have these my fields in my search for splunk, using the query

index=sql sourcetype="mssql:execution:dm_exec_sessions" host="*" | rename client_net_address AS "IP_Origem" current_database_name AS Datase_Name original_login_name AS "Usuário" |stats count by login_time, IP_Origem, Datase_Name, Usuário |sort - count

How do I make a comparison between the search and the lookup, so that it returns me to only results that are not the same as the original_login_name, client_net, address and Datase_name fields?

Examples:

Lookup:
Fields: original_login_name, client_net_address, Datase_name
Value: aud_cdt, 10.1.1.5, Teste

Logs:
Fields: original_login_name, client_net_address, Datase_name
Value: aud_cdt, 10.1.1.5, Teste
Value: aud_cdt, 10.1.1.8, Teste
Value: edt_aud, 10.1.1.5, Teste

The search should return the following results:
Value: aud_cdt, 10.1.1.8, Teste
Value: edt_aud, 10.1.1.5, Teste

somesoni2 · ‎06-14-2018

Try like this

index=sql sourcetype="mssql:execution:dm_exec_sessions" host="*" | rename client_net_address AS "IP_Origem" current_database_name AS Datase_Name original_login_name AS "Usuário" |stats count by login_time, IP_Origem, Datase_Name , Usuário 
| where NOT [| inputlookup YourLookupTable.csv | table original_login_name, client_net_address ,Datase_Name | rename original_login_name AS "Usuário" , client_net_address  as AS "IP_Origem"  ]|sort - count

How to compare search result with a lookup file

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...