If you want to search for multiple event codes then use an OR expression or the IN operator. It should be noted that the phrase EventCode=*the events im looking for* needs to have a single value on the right hand side. Index=win sourcetype=wineventlog EventCode IN (4123, 4124) index=win sourcetype=wineventlog (EventCode=4123 OR EventCode=4124) Use a rename in the subsearch to satisfy that requirement. It's important for the field name read from the CSV to match a field name in the index used by the main search. The subsearch runs, reads the file.csv then formats the results into the form " (admin=foo OR admin=bar OR admin=baz.)". The inputlookup command is first command in a subsearch. Try this example: index=win sourcetype=wineventlog EventCode=*the events im looking for* The output of the subsearch is appended to the main search before execution continues. In Splunk, a subsearch is identified by square brackets and executes first. I suspect you're wanting to read the CSV and use the list of admin names to filter data in an index. That's one reason the sample query doesn't work. The inputlookup command is a generating command so it has to be the first command in a search. What results do you get and how do they compare to what you want to get? Subsearches must be enclosed in square brackets in the primary search. When a search contains a subsearch, the subsearch typically runs first. | lookup networks network as dest_ip output nameĪnd obviously, that last line can be changed to `| stats count by name` or any number of other things.įor reference, my networks.csv looks like this: network,nameĪnd the nf entry looks like Īnd the transforms."can't make it work" is not a great problem statement. A subsearch is a search within a primary, or outer, search. In your case, if dest_ip is the field to use, you'd use something like index=firewall sourcetype=cisco:asa blah blah I do it this way because if you were, say, matching against firewall data, you could replace the first four lines (makeresults through mvexpand) with whatever search you had that displayed an IP address, then modify the lookup slightly and it should work on data of pretty much unbounded size, and quickly. | lookup networks network as ip output name ![]() Then here's a run anywhere search that creates three ip addresses (each in their own event), then uses the lookup we just created to match it to a network. On "Match type" type in "CIDR(network)" to tell it to cidrmatch on the csv file's field "network." Settings/Lookups/Lookup Definitions (the file's already there so you don't have to add it in "lookup table files").Īdd a new lookup definition, name it "networks" or similar, pick your file. There's probably a simple solution to this but I'm not seeing it!įirst, and primarily, I'd switch the csv file /inputlookup into a regular cidr based lookup. The first issue is that if there is no match, the row isn't returned all (I just want particular fields in a row of returned data to reflect the VLAN and friendly name of the network (if available in the CSV), not for the row to not be available. | inputlookup Network_VLAN_Names.csv | fields network vlan name| where NOT isnull(network) If there is no match I want the fields to just return "No Data" so we can then go and update the CSV with anything missing. So I'd like to pull in the CSV data and perform a cidrmatch against it using each IP address the search comes across. We basically want to know what network and VLAN a given address belongs to so I created a CSV file that contains the following: We run searches against logs that return, as part of the dataset, IP addresses.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |