This message originated from Cribl Community Slack. Click here to view the original link.
If I have a data with some File Paths in it. Example
A:\Program Files\SplunkUniversalForwarderB:\Program Files\SplunkUniversalForwarderC:\Program Files\SplunkUniversalForwarderD:\Program Files\SplunkUniversalForwarder
And I want to Drop events with SplunkUniversalForwarder in the value.... How do I do that in 1 C.Lookup function?
Right now, I have C.Lookup('myLookup.csv').match(fieldName)
where fieldName is the field where both my values above exist. But I have to add each one of those full paths into my Lookup file.
I'm trying to avoid putting the entire file path into my CSV file since it changes so often. Would rather just put a constant in there if possible.
Best answer by Ralph No.
I setup something similar recently. Until I find the Code/Pipeline, just the basic idea:
The lookup has a binary field called 'enabled'. Which is handy by itself, because you can temporary disable rules/lines instead of having to remove them.
You do a lookup against the enabled field, so you get all fields from all 'enabled' lines.
You add them as temporary/local fields (__ prefixed).
Now you can compare whatever fields you have in the event against what you received from the lookup.
Dynamic key/value matching.
Example:
Lookup has:
enabled, ParentProcess, Application,...
true, foo, bar,....
After the Lookup you have
__lookupResult_ParentProcess = foo
Now you can do a drop (or whatever) if ParentProcess == __lookupResult_ParentProcess (which might be an array, so you need to check if the event value is in the array)
Also - this same dataset has additional field names that denote process names such as ParentProcessNameProcessNameApplicationName ; it would appear that I need a different lookup file for each fieldname to call.
Unless there's a way to call different key's to match against in a C.Lookup expression
Can not follow 100%. Can you show an example event and how your Lookup is structured?
Maybe C.LookupRegex is your friend. But actually I am not sure what you use the lookup for. It looks to me, you simply want to match against a string in the event.
Mostly, yes.
These are just Windows Event Logs parsed into JSON using the pack. Instead of doing a _raw.includes('string') || _raw.includes('otherString') a bunch of times for drops, the idea is to use a C.Lookup function to do this with. The problem I run into is that A) The C.Lookup Function requires the full value to be in the lookup to match against. Also, if I have multiple Field key's to match against, such as Process, ParentProcess, Application, then I would need a way to match against all 3 Key's within a CSV.
My thought was something like this would be cool: C.Lookup('mylookup.csv').match.includes('string')
I setup something similar recently. Until I find the Code/Pipeline, just the basic idea:
The lookup has a binary field called 'enabled'. Which is handy by itself, because you can temporary disable rules/lines instead of having to remove them.
You do a lookup against the enabled field, so you get all fields from all 'enabled' lines.
You add them as temporary/local fields (__ prefixed).
Now you can compare whatever fields you have in the event against what you received from the lookup.
Dynamic key/value matching.
Example:
Lookup has:
enabled, ParentProcess, Application,...
true, foo, bar,....
After the Lookup you have
__lookupResult_ParentProcess = foo
Now you can do a drop (or whatever) if ParentProcess == __lookupResult_ParentProcess (which might be an array, so you need to check if the event value is in the array)
