Re: Compare entire lookup table to another

splunk219783 · ‎08-25-2023

I thought this would be easy but i'm struggling. I have a CSV of firewall rules from yesterday, and a CSV of Firewall rules from today. They're being ingested into splunk but i figured the easiest way to compare the two would be to make them lookup tables. But I can't figure how to compare ALL values? This is to audit for any changes. The Data is kind of like this:

Yesterdays Rules:

Name	Action	SrcIp	DestIp	Port
WebServer	Allow	192.168.1.2	192.168.0.3	80
Application	Deny	192.168.1.10	192.168.0.11	1020
Outbound	Allow	192.168.0.0/24	*	80

Todays Rules

Name	Action	SrcIp	DestIp	Port
WebServer	Allow	192.168.1.2	192.168.0.3,192.168.0.4	80
Application	Deny	192.168.1.10	192.168.0.11	1020
Outbound	Allow	192.168.0.0/24	*	80

In the example the Webserver can now access an additional server. But in reality any value could change and I need to alert on it. I basically just want to do a diff. A little surprised its difficult to do in splunk.

gcusello · ‎08-25-2023

Hi @splunk219783,

you have to use stats, please try something like this:

| inputlookup yesterday_rules.csv
| eval lookup_name="yesterday_rules.csv"
| append [ | | inputlookup today_rules.csv | eval lookup_name="today_rules.csv" ]
| stats 
   dc(lookup_name) AS lookup_name_count 
   values(lookup_name) AS lookup_name
   BY Name Action SrcIp DestIp Port
| where lookup_name_count=1
| table Name Action SrcIp DestIp Port lookup_name

in this way you have all the differences.

Ciao.

Giuseppe

Compare entire lookup table to another

lookup

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

IM Landing Page Filter - Now Available

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud