Refine your search:

How to do looping search by lookup table

0

Hi: I am trying to do looping search using lookup tables and map command, however, I cannot get the correct result. If possible, please help me get correct search command.

It is my logs.

Blockquote md5=7e8b33fdaf6ff8a8e228883019bf7049 filetype="PE32 executable (GUI) Intel 80386, for MS Windows" dnsinfo_hostname=etsiunjour.fr dnsinfo_ip=176.31.255.41 Blockquote

First, I would like to get the value of dnsinfo_hostname field. Then I do lookup from the following csv file

dnsinfo_hostname, resolved_IP etsiunjour.fr, 90.156.201.31 etsiunjour.fr, 90.156.201.71 etsiunjour.fr, 90.156.201.94 etsiunjour.fr, 90.156.201.113 aaa.com, 90.156.201.94 bbb.com, 90.156.201.71 ccc.com, 90.156.201.94

When I did the search to get dnsinfo_hostname=etsiunjour.fr with its resolved_Ip=[90.156.201.31, 90.156.201.71 ,90.156.201.94, 90.156.201.113] . For each resolve_IP, do lookups csv fil again to get:

90.156.201.94 ->[aaa.com, ccc.com] 90.156.201.71 ->[bbb.com]

Finally. I would like to show : hostname=etsiunjour.fr, resolved_IP=[90.156.201.31, 90.156.201.71 ,90.156.201.94(aaa.com, ccc.com), 90.156.201.113],

Is it possible Splunk can help me do this ? Or I have to do it using external python code. Thanks!

asked 17 Aug '12, 01:43

JuliaCheng's gravatar image

JuliaCheng
301
accept rate: 0%

2 Answers:
oldestnewestmost voted
1

It's fairly straightforward to get something that KIND OF works. To get a list of all the IP's and domains associated with the input domain, you could do:

| inputlookup yourlookup | search [| inputlookup yourlookup | search dnsinfo_hostname="etsiunjour.fr" | fields resolved_IP] | stats values(dnsinfo_hostname) by resolved_IP

This will first of all run a subsearch that gets all IP's associated with the "etsiunjour.fr" domain in the lookup, then once again check the lookup which domains are associated with those IP's. The output will be the resolved IP's and a list of associated domains for each.

Moving on from that, there are a number of tricky things that need to be solved in order to get the exact format you're looking for. You need to find the domains that are NOT the input domain, and add them to a comma separated list that is then put within parantheses after the IP number. Finally, all these IP's including any extra info should be put into a multivalued field. After messing around a bit, I came up with the following search that should do what you want:

| inputlookup dns.csv
| search
  [| inputlookup dns.csv 
   | search dnsinfo_hostname="etsiunjour.fr" | fields resolved_IP ]
| mvcombine dnsinfo_hostname
| eval resolved_IP=if(mvcount(dnsinfo_hostname)>1,resolved_IP+"("+mvjoin(mvfilter(NOT match(dnsinfo_hostname,"etsiunjour.fr")),",")+")",resolved_IP)
| eval dnsinfo_hostname="etsiunjour.fr"
| mvcombine resolved_IP

While I can't say it looks pretty, it does work and shows some of the flexibility you get with Splunk's search language. :)

Note that the input domain ("etsiunjour.fr") is used in three places in the search. This is because once the initial resolving and reverse resolving is done, it's hard to know what the original input domain was. The easiest would be to implement this search as a macro, or in a form that can just refer to the input domain as a variable name.

link

answered 17 Aug '12, 06:25

Ayn's gravatar image

Ayn
24.8k3717
accept rate: 41%

Thank you very much. And I really appreciate your answer and it works SUPER fine. finally, it shows

dnsinfo_hostname resolved_IP etsiunjour.fr 90.156.201.113(aaa.com) 90.156.201.31 90.156.201.71 90.156.201.94(bbb.com)

(17 Aug '12, 12:06) JuliaCheng

Awesome! If you feel your question was answered, could you please mark the answer as accepted? Thanks!

(17 Aug '12, 13:27) Ayn
0

I wouldn't use the map command, it is a very expensive command to use in terms of search processing. Try this one:

sourcetype=YOURSOURCETYPE index=*| lookup YOURFILE.csv dnsinfo_hostname OUTPUT resolved_IP|stats values(dnsinfo_hostname) as original_hostname by resolved_IP|lookup YOURFILE.csv resolved_IP OUTPUT dnsinfo_hostname

link

answered 17 Aug '12, 06:35

alacercogitatus's gravatar image

alacercogitatus
3.4k39
accept rate: 36%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×1,640
×326
×1

Asked: 17 Aug '12, 01:43

Seen: 671 times

Last updated: 17 Aug '12, 13:27

Related questions

How to display multiple search values as search coumns in the search table

how to use timechart to to search

how to search a list with *Exceptions

Configuration not supported -- Error Generated in Table

How do underscores affect searches?

[closed] How do underscores affect searches?

How to calc component availabilty data coming from nagios

How to see if a search module is working, how to debug ?

How do I use only part of Source as legend?

Copyright © 2005-2012 Splunk Inc. All rights reserved.