Hello 🙂
I want to find in subsearch autonomous_system for the IP address which I provided (in this example for 1.1.1.1) . Next, based on the name of the autonomous_system returned from subsearch, I want to find all IP addresses connecting to my network that belongs to that autonomous_system.
For now I have something like that:
index=firewall src_ip=*
| lookup asn ip as src_ip
[search index=firewall src_ip=1.1.1.1
| fields src_ip
| lookup asn ip as src_ip
| rename autonomous_system AS subsearch_autonomous_system
| dedup subsearch_autonomous_system]
| stats values(src_ip) by subsearch_autonomous_system
But when I run this search I got error:
Error in 'lookup' command: Cannot find the source field '(' in the lookup table 'asn'.
Can anyone help me with that?
Regards
Daniel
Your subsearch is in the wrong place - it should be a constraint to the outer search, whereas now it is attached to your lookup statement on your second line, hence the error.
There are a couple of ways to solve this
1. Make the lookup an automatic lookup. That means the outer search will already have the autonomous_system value from the event's src_ip. In that case you can do the search like this
index=firewall src_ip=*
[
| makereults
| eval src_ip=1.1.1.1
| lookup asn ip as src_ip
| fields autonomous_system
]
| stats values(src_ip) by autonomous_system
There is no point in searching the index in the subsearch just to construct a lookup for an IP address, just use makeresults to perform the lookup.
2. If you do not already have the autonomous_subysystem in your data you can't use a subsearch to constrain it, so you will have to do the lookup twice, the first time to get the subsystem for the event and the second to get the subsystem of the wanted match IP (1.1.1.1), so the search is
index=firewall src_ip=*
| lookup asn ip as src_ip
| eval match_src_ip=1.1.1.1
| lookup asn ip as match_src_ip OUTPUT autonomous_system as wanted_autonomous_system
| where autonomous_system=wanted_autonomous_system
| stats values(src_ip) by autonomous_system
Hope this helps
Thank you for such detailed explanation 🙂
Your subsearch is in the wrong place - it should be a constraint to the outer search, whereas now it is attached to your lookup statement on your second line, hence the error.
There are a couple of ways to solve this
1. Make the lookup an automatic lookup. That means the outer search will already have the autonomous_system value from the event's src_ip. In that case you can do the search like this
index=firewall src_ip=*
[
| makereults
| eval src_ip=1.1.1.1
| lookup asn ip as src_ip
| fields autonomous_system
]
| stats values(src_ip) by autonomous_system
There is no point in searching the index in the subsearch just to construct a lookup for an IP address, just use makeresults to perform the lookup.
2. If you do not already have the autonomous_subysystem in your data you can't use a subsearch to constrain it, so you will have to do the lookup twice, the first time to get the subsystem for the event and the second to get the subsystem of the wanted match IP (1.1.1.1), so the search is
index=firewall src_ip=*
| lookup asn ip as src_ip
| eval match_src_ip=1.1.1.1
| lookup asn ip as match_src_ip OUTPUT autonomous_system as wanted_autonomous_system
| where autonomous_system=wanted_autonomous_system
| stats values(src_ip) by autonomous_system
Hope this helps