Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Lookup in main search and subsearch - how to compare the results?

dsms
Engager
‎09-04-2023 12:23 PM

Hello 🙂
I want to find in subsearch autonomous_system for the IP address which I provided (in this example for 1.1.1.1) . Next, based on the name of the autonomous_system returned from subsearch, I want to find all IP addresses connecting to my network that belongs to that autonomous_system
For now I have something like that:

index=firewall src_ip=*
| lookup asn ip as src_ip

[search index=firewall  src_ip=1.1.1.1
| fields src_ip
| lookup asn ip as src_ip
| rename autonomous_system AS subsearch_autonomous_system
| dedup subsearch_autonomous_system]

| stats values(src_ip) by subsearch_autonomous_system

But when I run this search I got error:
Error in 'lookup' command: Cannot find the source field '(' in the lookup table 'asn'.

Can anyone help me with that?

Regards
Daniel

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-04-2023 03:42 PM

Your subsearch is in the wrong place - it should be a constraint to the outer search, whereas now it is attached to your lookup statement on your second line, hence the error.

There are a couple of ways to solve this

1. Make the lookup an automatic lookup. That means the outer search will already have the autonomous_system value from the event's src_ip. In that case you can do the search like this

index=firewall src_ip=* 
[ 
  | makereults
  | eval src_ip=1.1.1.1
  | lookup asn ip as src_ip
  | fields autonomous_system
]
| stats values(src_ip) by autonomous_system

There is no point in searching the index in the subsearch just to construct a lookup for an IP address, just use makeresults to perform the lookup.

2. If you do not already have the autonomous_subysystem in your data you can't use a subsearch to constrain it, so you will have to do the lookup twice, the first time to get the subsystem for the event and the second to get the subsystem of the wanted match IP (1.1.1.1), so the search is

index=firewall src_ip=* 
| lookup asn ip as src_ip
| eval match_src_ip=1.1.1.1
| lookup asn ip as match_src_ip OUTPUT autonomous_system as wanted_autonomous_system
| where autonomous_system=wanted_autonomous_system
| stats values(src_ip) by autonomous_system

Hope this helps

View solution in original post

Reply
Solved! Jump to solution

dsms
Engager
‎09-11-2023 01:17 AM

Thank you for such detailed explanation 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-04-2023 03:42 PM

Your subsearch is in the wrong place - it should be a constraint to the outer search, whereas now it is attached to your lookup statement on your second line, hence the error.

There are a couple of ways to solve this

1. Make the lookup an automatic lookup. That means the outer search will already have the autonomous_system value from the event's src_ip. In that case you can do the search like this

index=firewall src_ip=* 
[ 
  | makereults
  | eval src_ip=1.1.1.1
  | lookup asn ip as src_ip
  | fields autonomous_system
]
| stats values(src_ip) by autonomous_system

There is no point in searching the index in the subsearch just to construct a lookup for an IP address, just use makeresults to perform the lookup.

2. If you do not already have the autonomous_subysystem in your data you can't use a subsearch to constrain it, so you will have to do the lookup twice, the first time to get the subsystem for the event and the second to get the subsystem of the wanted match IP (1.1.1.1), so the search is

index=firewall src_ip=* 
| lookup asn ip as src_ip
| eval match_src_ip=1.1.1.1
| lookup asn ip as match_src_ip OUTPUT autonomous_system as wanted_autonomous_system
| where autonomous_system=wanted_autonomous_system
| stats values(src_ip) by autonomous_system

Hope this helps

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...