[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:01.56,0:00:03.72,Default,,0000,0000,0000,,hi Travis with Splunk here
Dialogue: 0,0:00:03.72,0:00:06.18,Default,,0000,0000,0000,,in this video I want to go over look up
Dialogue: 0,0:00:06.18,0:00:09.06,Default,,0000,0000,0000,,tables and give you an example of how I
Dialogue: 0,0:00:09.06,0:00:11.46,Default,,0000,0000,0000,,use lookup tables
Dialogue: 0,0:00:11.46,0:00:14.88,Default,,0000,0000,0000,,I've pulled up a search here that shows
Dialogue: 0,0:00:14.88,0:00:16.80,Default,,0000,0000,0000,,the you know activity of the different
Dialogue: 0,0:00:16.80,0:00:19.44,Default,,0000,0000,0000,,devices on my home network
Dialogue: 0,0:00:19.44,0:00:22.26,Default,,0000,0000,0000,,I can see there is a spike in data and
Dialogue: 0,0:00:22.26,0:00:24.90,Default,,0000,0000,0000,,instead of me having to remember you
Dialogue: 0,0:00:24.90,0:00:26.58,Default,,0000,0000,0000,,know the IP address
Dialogue: 0,0:00:26.58,0:00:29.58,Default,,0000,0000,0000,,of that device I can have a lookup table
Dialogue: 0,0:00:29.58,0:00:32.58,Default,,0000,0000,0000,,translate that IP to a host name so that
Dialogue: 0,0:00:32.58,0:00:35.58,Default,,0000,0000,0000,,when I hover over this Spike of data
Dialogue: 0,0:00:35.58,0:00:37.68,Default,,0000,0000,0000,,you know I get a name instead of an IP
Dialogue: 0,0:00:37.68,0:00:38.70,Default,,0000,0000,0000,,address
Dialogue: 0,0:00:38.70,0:00:40.56,Default,,0000,0000,0000,,and this is very helpful because I don't
Dialogue: 0,0:00:40.56,0:00:42.30,Default,,0000,0000,0000,,want to remember all the IP addresses
Dialogue: 0,0:00:42.30,0:00:46.50,Default,,0000,0000,0000,,for all the 30 plus devices that are you
Dialogue: 0,0:00:46.50,0:00:48.12,Default,,0000,0000,0000,,know in my house or in my home
Dialogue: 0,0:00:48.12,0:00:50.60,Default,,0000,0000,0000,,environment
Dialogue: 0,0:00:50.64,0:00:52.92,Default,,0000,0000,0000,,so if you're new to Splunk or you're
Dialogue: 0,0:00:52.92,0:00:54.48,Default,,0000,0000,0000,,sitting here going look up tables why
Dialogue: 0,0:00:54.48,0:00:55.80,Default,,0000,0000,0000,,are they important what are you talking
Dialogue: 0,0:00:55.80,0:00:58.92,Default,,0000,0000,0000,,about Travis let's go to your favorite
Dialogue: 0,0:00:58.92,0:01:01.80,Default,,0000,0000,0000,,search engine whatever you want to use
Dialogue: 0,0:01:01.80,0:01:05.94,Default,,0000,0000,0000,,and do a search on Splunk lookup tables
Dialogue: 0,0:01:05.94,0:01:07.94,Default,,0000,0000,0000,,give you ways to find more information
Dialogue: 0,0:01:07.94,0:01:11.10,Default,,0000,0000,0000,,and use our documentation I find you
Dialogue: 0,0:01:11.10,0:01:12.90,Default,,0000,0000,0000,,know doing a search in your favorite
Dialogue: 0,0:01:12.90,0:01:14.78,Default,,0000,0000,0000,,search engine
Dialogue: 0,0:01:14.78,0:01:17.28,Default,,0000,0000,0000,,is the easiest way to find stuff in our
Dialogue: 0,0:01:17.28,0:01:20.28,Default,,0000,0000,0000,,documentation so the first result is a
Dialogue: 0,0:01:20.28,0:01:22.80,Default,,0000,0000,0000,,lookup command
Dialogue: 0,0:01:22.80,0:01:24.72,Default,,0000,0000,0000,,um I am using that lookup command in
Dialogue: 0,0:01:24.72,0:01:26.46,Default,,0000,0000,0000,,this search
Dialogue: 0,0:01:26.46,0:01:28.26,Default,,0000,0000,0000,,and then if we go back here the second
Dialogue: 0,0:01:28.26,0:01:30.66,Default,,0000,0000,0000,,one is about lookups and then there's
Dialogue: 0,0:01:30.66,0:01:33.50,Default,,0000,0000,0000,,other you know lookup command examples
Dialogue: 0,0:01:33.50,0:01:36.00,Default,,0000,0000,0000,,there is you know how to use lookup
Dialogue: 0,0:01:36.00,0:01:38.88,Default,,0000,0000,0000,,table the you know Splunk Community
Dialogue: 0,0:01:38.88,0:01:41.40,Default,,0000,0000,0000,,Splunk answers but I'm going to go into
Dialogue: 0,0:01:41.40,0:01:43.94,Default,,0000,0000,0000,,this about lookups Splunk documentation
Dialogue: 0,0:01:43.94,0:01:46.44,Default,,0000,0000,0000,,and show you more information about the
Dialogue: 0,0:01:46.44,0:01:47.58,Default,,0000,0000,0000,,lookup table
Dialogue: 0,0:01:47.58,0:01:50.34,Default,,0000,0000,0000,,here you know what is a lookup way to
Dialogue: 0,0:01:50.34,0:01:52.86,Default,,0000,0000,0000,,enrich your data that you are collecting
Dialogue: 0,0:01:52.86,0:01:56.06,Default,,0000,0000,0000,,you know the four types of lookup CSV
Dialogue: 0,0:01:56.06,0:02:00.18,Default,,0000,0000,0000,,external KV store and even Geo
Dialogue: 0,0:02:00.18,0:02:02.52,Default,,0000,0000,0000,,and then how you know more information
Dialogue: 0,0:02:02.52,0:02:04.56,Default,,0000,0000,0000,,about each one of those four types of
Dialogue: 0,0:02:04.56,0:02:08.16,Default,,0000,0000,0000,,lookup tables I'm going to focus on CSV
Dialogue: 0,0:02:08.16,0:02:09.54,Default,,0000,0000,0000,,today
Dialogue: 0,0:02:09.54,0:02:13.20,Default,,0000,0000,0000,,and here we have a link to you know how
Dialogue: 0,0:02:13.20,0:02:15.66,Default,,0000,0000,0000,,can I create and bring a lookup table
Dialogue: 0,0:02:15.66,0:02:18.60,Default,,0000,0000,0000,,into Splunk using the the web GUI or if
Dialogue: 0,0:02:18.60,0:02:19.68,Default,,0000,0000,0000,,you like
Dialogue: 0,0:02:19.68,0:02:21.42,Default,,0000,0000,0000,,you know using the configuration file
Dialogue: 0,0:02:21.42,0:02:23.88,Default,,0000,0000,0000,,CLI you know there's a link for that but
Dialogue: 0,0:02:23.88,0:02:26.70,Default,,0000,0000,0000,,for today we are going to go into
Dialogue: 0,0:02:26.70,0:02:30.42,Default,,0000,0000,0000,,this link here which defines a CSV
Dialogue: 0,0:02:30.42,0:02:32.52,Default,,0000,0000,0000,,lookup gives you more information about
Dialogue: 0,0:02:32.52,0:02:35.76,Default,,0000,0000,0000,,that CSV file and then how to upload
Dialogue: 0,0:02:35.76,0:02:38.46,Default,,0000,0000,0000,,that file and if you need an example of
Dialogue: 0,0:02:38.46,0:02:41.76,Default,,0000,0000,0000,,a lookup table you know we have see look
Dialogue: 0,0:02:41.76,0:02:43.92,Default,,0000,0000,0000,,up for an example you know this lookup
Dialogue: 0,0:02:43.92,0:02:45.96,Default,,0000,0000,0000,,is a hyperlink
Dialogue: 0,0:02:45.96,0:02:48.78,Default,,0000,0000,0000,,and we can drill down even further and
Dialogue: 0,0:02:48.78,0:02:51.30,Default,,0000,0000,0000,,see examples of a lookup table
Dialogue: 0,0:02:51.30,0:02:54.18,Default,,0000,0000,0000,,an example that we provide is a HTTP
Dialogue: 0,0:02:54.18,0:02:57.80,Default,,0000,0000,0000,,status code I say we Splunk
Dialogue: 0,0:02:57.80,0:02:59.94,Default,,0000,0000,0000,,and you can go ahead and download that
Dialogue: 0,0:02:59.94,0:03:02.16,Default,,0000,0000,0000,,so you can see it or just review the
Dialogue: 0,0:03:02.16,0:03:05.46,Default,,0000,0000,0000,,sample that Splunk has provided where it
Dialogue: 0,0:03:05.46,0:03:07.80,Default,,0000,0000,0000,,shows the header field you know status
Dialogue: 0,0:03:07.80,0:03:10.44,Default,,0000,0000,0000,,comma status description comma status
Dialogue: 0,0:03:10.44,0:03:11.52,Default,,0000,0000,0000,,type
Dialogue: 0,0:03:11.52,0:03:14.28,Default,,0000,0000,0000,,and then values that are associated with
Dialogue: 0,0:03:14.28,0:03:16.50,Default,,0000,0000,0000,,the header field and it's all comma
Dialogue: 0,0:03:16.50,0:03:18.96,Default,,0000,0000,0000,,separated and no spaces
Dialogue: 0,0:03:18.96,0:03:21.36,Default,,0000,0000,0000,,so you can see like 200 okay and
Dialogue: 0,0:03:21.36,0:03:24.24,Default,,0000,0000,0000,,successful and you know three different
Dialogue: 0,0:03:24.24,0:03:26.16,Default,,0000,0000,0000,,header fields
Dialogue: 0,0:03:26.16,0:03:28.56,Default,,0000,0000,0000,,and then the steps two
Dialogue: 0,0:03:28.56,0:03:30.72,Default,,0000,0000,0000,,go ahead and
Dialogue: 0,0:03:30.72,0:03:33.78,Default,,0000,0000,0000,,uh add those lookup tables into your
Dialogue: 0,0:03:33.78,0:03:36.38,Default,,0000,0000,0000,,Splunk web
Dialogue: 0,0:03:36.54,0:03:40.14,Default,,0000,0000,0000,,so let's take one step back here
Dialogue: 0,0:03:40.14,0:03:42.06,Default,,0000,0000,0000,,you know in here you know more
Dialogue: 0,0:03:42.06,0:03:44.22,Default,,0000,0000,0000,,information about lookup tables and how
Dialogue: 0,0:03:44.22,0:03:45.90,Default,,0000,0000,0000,,to get that in there
Dialogue: 0,0:03:45.90,0:03:48.54,Default,,0000,0000,0000,,so just take some time and go through
Dialogue: 0,0:03:48.54,0:03:49.80,Default,,0000,0000,0000,,all of this
Dialogue: 0,0:03:49.80,0:03:51.42,Default,,0000,0000,0000,,you know I could probably spend an hour
Dialogue: 0,0:03:51.42,0:03:53.64,Default,,0000,0000,0000,,on lookup tables
Dialogue: 0,0:03:53.64,0:03:56.04,Default,,0000,0000,0000,,but what I'm going to do is also you
Dialogue: 0,0:03:56.04,0:03:57.36,Default,,0000,0000,0000,,know scroll down here because there's
Dialogue: 0,0:03:57.36,0:03:59.22,Default,,0000,0000,0000,,something else I want to show this is
Dialogue: 0,0:03:59.22,0:04:01.98,Default,,0000,0000,0000,,back to the about lookups and if I
Dialogue: 0,0:04:01.98,0:04:03.60,Default,,0000,0000,0000,,scroll down you know more lookup table
Dialogue: 0,0:04:03.60,0:04:05.70,Default,,0000,0000,0000,,definition automatic lookups this is
Dialogue: 0,0:04:05.70,0:04:08.76,Default,,0000,0000,0000,,great so instead of having to invoke
Dialogue: 0,0:04:08.76,0:04:11.04,Default,,0000,0000,0000,,that lookup command and during the
Dialogue: 0,0:04:11.04,0:04:13.26,Default,,0000,0000,0000,,search I can go ahead and set up an
Dialogue: 0,0:04:13.26,0:04:14.88,Default,,0000,0000,0000,,automatic lookup
Dialogue: 0,0:04:14.88,0:04:18.12,Default,,0000,0000,0000,,that will be invoked at search time and
Dialogue: 0,0:04:18.12,0:04:19.80,Default,,0000,0000,0000,,bring that information in that you would
Dialogue: 0,0:04:19.80,0:04:21.98,Default,,0000,0000,0000,,need
Dialogue: 0,0:04:22.02,0:04:24.90,Default,,0000,0000,0000,,so last thing I'm going to talk about on
Dialogue: 0,0:04:24.90,0:04:28.56,Default,,0000,0000,0000,,this page is commands and lookups there
Dialogue: 0,0:04:28.56,0:04:31.44,Default,,0000,0000,0000,,is three commands that are related to
Dialogue: 0,0:04:31.44,0:04:33.66,Default,,0000,0000,0000,,lookup tables
Dialogue: 0,0:04:33.66,0:04:35.64,Default,,0000,0000,0000,,I've already shown and
Dialogue: 0,0:04:35.64,0:04:38.28,Default,,0000,0000,0000,,look up but there's also input lookup
Dialogue: 0,0:04:38.28,0:04:40.62,Default,,0000,0000,0000,,and output lookup
Dialogue: 0,0:04:40.62,0:04:43.14,Default,,0000,0000,0000,,so you can manually create your lookup
Dialogue: 0,0:04:43.14,0:04:46.56,Default,,0000,0000,0000,,file or we can actually use the output
Dialogue: 0,0:04:46.56,0:04:49.44,Default,,0000,0000,0000,,lookup in a Splunk search to create a
Dialogue: 0,0:04:49.44,0:04:51.30,Default,,0000,0000,0000,,lookup table
Dialogue: 0,0:04:51.30,0:04:54.36,Default,,0000,0000,0000,,to get that information into Splunk so
Dialogue: 0,0:04:54.36,0:04:56.04,Default,,0000,0000,0000,,you can use it with other Splunk
Dialogue: 0,0:04:56.04,0:04:58.50,Default,,0000,0000,0000,,searches and I will go over and we're
Dialogue: 0,0:04:58.50,0:05:01.50,Default,,0000,0000,0000,,going to build that out today
Dialogue: 0,0:05:01.50,0:05:03.42,Default,,0000,0000,0000,,so let's back up
Dialogue: 0,0:05:03.42,0:05:05.34,Default,,0000,0000,0000,,here's that where I'm using the lookup
Dialogue: 0,0:05:05.34,0:05:06.54,Default,,0000,0000,0000,,command there
Dialogue: 0,0:05:06.54,0:05:10.50,Default,,0000,0000,0000,,with this lookup table
Dialogue: 0,0:05:10.50,0:05:12.66,Default,,0000,0000,0000,,we have a couple different ways of be
Dialogue: 0,0:05:12.66,0:05:15.72,Default,,0000,0000,0000,,able to look at what data is in that
Dialogue: 0,0:05:15.72,0:05:18.60,Default,,0000,0000,0000,,lookup table at CSV file and that's that
Dialogue: 0,0:05:18.60,0:05:22.08,Default,,0000,0000,0000,,input lookup command is one way
Dialogue: 0,0:05:22.08,0:05:24.60,Default,,0000,0000,0000,,and then there's an app that you can
Dialogue: 0,0:05:24.60,0:05:26.70,Default,,0000,0000,0000,,download so let me show off the input
Dialogue: 0,0:05:26.70,0:05:29.34,Default,,0000,0000,0000,,lookup command real quick so input look
Dialogue: 0,0:05:29.34,0:05:31.32,Default,,0000,0000,0000,,up and you can see I've already used
Dialogue: 0,0:05:31.32,0:05:33.42,Default,,0000,0000,0000,,this command before
Dialogue: 0,0:05:33.42,0:05:35.76,Default,,0000,0000,0000,,and before I go any further
Dialogue: 0,0:05:35.76,0:05:38.76,Default,,0000,0000,0000,,if you like how you know I get you know
Dialogue: 0,0:05:38.76,0:05:40.62,Default,,0000,0000,0000,,I'll click input lookup if you like how
Dialogue: 0,0:05:40.62,0:05:41.94,Default,,0000,0000,0000,,I'm getting a lot of information over
Dialogue: 0,0:05:41.94,0:05:43.68,Default,,0000,0000,0000,,here and if you're not getting this much
Dialogue: 0,0:05:43.68,0:05:46.20,Default,,0000,0000,0000,,information like when I click more
Dialogue: 0,0:05:46.20,0:05:48.60,Default,,0000,0000,0000,,you'll go up to administrator or you
Dialogue: 0,0:05:48.60,0:05:50.28,Default,,0000,0000,0000,,know whoever you're logged in as your
Dialogue: 0,0:05:50.28,0:05:53.76,Default,,0000,0000,0000,,user account name go to preferences
Dialogue: 0,0:05:53.76,0:05:57.48,Default,,0000,0000,0000,,and then SPL editor and you can change
Dialogue: 0,0:05:57.48,0:05:59.40,Default,,0000,0000,0000,,this on your account for your preference
Dialogue: 0,0:05:59.40,0:06:01.98,Default,,0000,0000,0000,,it's where it you know Splunk by default
Dialogue: 0,0:06:01.98,0:06:04.08,Default,,0000,0000,0000,,will have it on Compact and you can
Dialogue: 0,0:06:04.08,0:06:05.52,Default,,0000,0000,0000,,select full
Dialogue: 0,0:06:05.52,0:06:08.28,Default,,0000,0000,0000,,and then uh if you've ever noticed when
Dialogue: 0,0:06:08.28,0:06:11.16,Default,,0000,0000,0000,,I hit the pipe
Dialogue: 0,0:06:11.16,0:06:13.74,Default,,0000,0000,0000,,it drops down a new line that's this
Dialogue: 0,0:06:13.74,0:06:17.58,Default,,0000,0000,0000,,search auto format so I select it so it
Dialogue: 0,0:06:17.58,0:06:19.26,Default,,0000,0000,0000,,automatically drops a new line every
Dialogue: 0,0:06:19.26,0:06:21.42,Default,,0000,0000,0000,,time and you'll probably see that here
Dialogue: 0,0:06:21.42,0:06:23.58,Default,,0000,0000,0000,,in a minute so I'm going to go ahead and
Dialogue: 0,0:06:23.58,0:06:27.12,Default,,0000,0000,0000,,hit cancel so I have input lookup and
Dialogue: 0,0:06:27.12,0:06:29.52,Default,,0000,0000,0000,,what was that Hall yep
Dialogue: 0,0:06:29.52,0:06:31.44,Default,,0000,0000,0000,,I've already got it there so I'll just
Dialogue: 0,0:06:31.44,0:06:33.90,Default,,0000,0000,0000,,click on that and click run
Dialogue: 0,0:06:33.90,0:06:37.50,Default,,0000,0000,0000,,so all this command does is bring the
Dialogue: 0,0:06:37.50,0:06:40.62,Default,,0000,0000,0000,,data into a Splunk search so I can view
Dialogue: 0,0:06:40.62,0:06:41.52,Default,,0000,0000,0000,,it
Dialogue: 0,0:06:41.52,0:06:44.52,Default,,0000,0000,0000,,this is a CSV file that I have uploaded
Dialogue: 0,0:06:44.52,0:06:47.70,Default,,0000,0000,0000,,I have edited and made adjustments to it
Dialogue: 0,0:06:47.70,0:06:50.28,Default,,0000,0000,0000,,and this is a CSV file that is being
Dialogue: 0,0:06:50.28,0:06:52.86,Default,,0000,0000,0000,,used in this search to where my
Dialogue: 0,0:06:52.86,0:06:54.90,Default,,0000,0000,0000,,destination IP will go down here if it
Dialogue: 0,0:06:54.90,0:06:58.62,Default,,0000,0000,0000,,makes a match it outputs me the hostname
Dialogue: 0,0:06:58.62,0:07:01.68,Default,,0000,0000,0000,,now the other way that we can edit this
Dialogue: 0,0:07:01.68,0:07:02.88,Default,,0000,0000,0000,,file
Dialogue: 0,0:07:02.88,0:07:06.72,Default,,0000,0000,0000,,is an app and do I have that up nope so
Dialogue: 0,0:07:06.72,0:07:08.58,Default,,0000,0000,0000,,we'll go here apps
Dialogue: 0,0:07:08.58,0:07:10.86,Default,,0000,0000,0000,,and we're going to go to Splunk app for
Dialogue: 0,0:07:10.86,0:07:13.64,Default,,0000,0000,0000,,lookup file
Dialogue: 0,0:07:13.80,0:07:15.78,Default,,0000,0000,0000,,and this is an app that I've downloaded
Dialogue: 0,0:07:15.78,0:07:17.52,Default,,0000,0000,0000,,off of Splunk base
Dialogue: 0,0:07:17.52,0:07:21.18,Default,,0000,0000,0000,,if you've never I'll back up or before I
Dialogue: 0,0:07:21.18,0:07:22.14,Default,,0000,0000,0000,,go too much further if you've never
Dialogue: 0,0:07:22.14,0:07:23.94,Default,,0000,0000,0000,,heard of Splunk base this is you know
Dialogue: 0,0:07:23.94,0:07:25.02,Default,,0000,0000,0000,,our
Dialogue: 0,0:07:25.02,0:07:26.82,Default,,0000,0000,0000,,App Store
Dialogue: 0,0:07:26.82,0:07:29.88,Default,,0000,0000,0000,,and we can either you know go to
Dialogue: 0,0:07:29.88,0:07:32.64,Default,,0000,0000,0000,,splunkbase.splunk.com
Dialogue: 0,0:07:32.64,0:07:37.56,Default,,0000,0000,0000,,and do a search in here for lookup
Dialogue: 0,0:07:37.56,0:07:42.54,Default,,0000,0000,0000,,um file there it is look up file editing
Dialogue: 0,0:07:42.54,0:07:45.36,Default,,0000,0000,0000,,or just you know back at your favorite
Dialogue: 0,0:07:45.36,0:07:49.08,Default,,0000,0000,0000,,search engine Splunk base lookup editor
Dialogue: 0,0:07:49.08,0:07:50.76,Default,,0000,0000,0000,,and you'll get links to the same
Dialogue: 0,0:07:50.76,0:07:52.26,Default,,0000,0000,0000,,location
Dialogue: 0,0:07:52.26,0:07:55.38,Default,,0000,0000,0000,,I will I will point out with the new
Dialogue: 0,0:07:55.38,0:07:57.14,Default,,0000,0000,0000,,Splunk base we are
Dialogue: 0,0:07:57.14,0:08:00.18,Default,,0000,0000,0000,,Splunk is you know providing a new
Dialogue: 0,0:08:00.18,0:08:02.72,Default,,0000,0000,0000,,Splunk base over the old one
Dialogue: 0,0:08:02.72,0:08:06.30,Default,,0000,0000,0000,,sometimes if I were to just put
Dialogue: 0,0:08:06.30,0:08:10.26,Default,,0000,0000,0000,,look up you may not see that information
Dialogue: 0,0:08:10.26,0:08:12.18,Default,,0000,0000,0000,,you know that app down here and even if
Dialogue: 0,0:08:12.18,0:08:13.56,Default,,0000,0000,0000,,I run a search
Dialogue: 0,0:08:13.56,0:08:16.68,Default,,0000,0000,0000,,you may not see it so make sure to put
Dialogue: 0,0:08:16.68,0:08:19.08,Default,,0000,0000,0000,,in lookup file
Dialogue: 0,0:08:19.08,0:08:22.02,Default,,0000,0000,0000,,if you go to the old Splunk base
Dialogue: 0,0:08:22.02,0:08:24.66,Default,,0000,0000,0000,,you know if I type in look up there it's
Dialogue: 0,0:08:24.66,0:08:27.24,Default,,0000,0000,0000,,the first entry so hopefully our product
Dialogue: 0,0:08:27.24,0:08:29.34,Default,,0000,0000,0000,,team is working on or whoever's working
Dialogue: 0,0:08:29.34,0:08:31.74,Default,,0000,0000,0000,,on the website is you know adjusting
Dialogue: 0,0:08:31.74,0:08:33.12,Default,,0000,0000,0000,,that
Dialogue: 0,0:08:33.12,0:08:36.06,Default,,0000,0000,0000,,and then the last way that we could you
Dialogue: 0,0:08:36.06,0:08:39.42,Default,,0000,0000,0000,,know bring in that lookup app is to go
Dialogue: 0,0:08:39.42,0:08:40.74,Default,,0000,0000,0000,,to apps
Dialogue: 0,0:08:40.74,0:08:43.32,Default,,0000,0000,0000,,find more apps
Dialogue: 0,0:08:43.32,0:08:48.26,Default,,0000,0000,0000,,and then the same thing here look up
Dialogue: 0,0:08:49.32,0:08:52.68,Default,,0000,0000,0000,,and if I type in let's say edit
Dialogue: 0,0:08:52.68,0:08:54.30,Default,,0000,0000,0000,,there it is
Dialogue: 0,0:08:54.30,0:08:55.92,Default,,0000,0000,0000,,probably any other I just didn't feel
Dialogue: 0,0:08:55.92,0:08:58.14,Default,,0000,0000,0000,,like scrolling down but here you know
Dialogue: 0,0:08:58.14,0:09:00.36,Default,,0000,0000,0000,,you can just install that way if your
Dialogue: 0,0:09:00.36,0:09:03.90,Default,,0000,0000,0000,,Splunk environment is internet
Dialogue: 0,0:09:03.90,0:09:05.34,Default,,0000,0000,0000,,capable
Dialogue: 0,0:09:05.34,0:09:07.32,Default,,0000,0000,0000,,I worked in an environment that that was
Dialogue: 0,0:09:07.32,0:09:09.78,Default,,0000,0000,0000,,not the case
Dialogue: 0,0:09:09.78,0:09:12.36,Default,,0000,0000,0000,,so now let's talk about the output
Dialogue: 0,0:09:12.36,0:09:16.02,Default,,0000,0000,0000,,lookup command and how to use it
Dialogue: 0,0:09:16.02,0:09:18.54,Default,,0000,0000,0000,,and I'm actually going to go back into
Dialogue: 0,0:09:18.54,0:09:19.62,Default,,0000,0000,0000,,here
Dialogue: 0,0:09:19.62,0:09:21.56,Default,,0000,0000,0000,,I want to show
Dialogue: 0,0:09:21.56,0:09:25.56,Default,,0000,0000,0000,,DHCP so here you can see that lookup
Dialogue: 0,0:09:25.56,0:09:29.46,Default,,0000,0000,0000,,this is that app for Splunk
Dialogue: 0,0:09:29.46,0:09:32.84,Default,,0000,0000,0000,,for lookup file editing I am filtering
Dialogue: 0,0:09:32.84,0:09:35.28,Default,,0000,0000,0000,,all of my you know there is a lot more
Dialogue: 0,0:09:35.28,0:09:38.34,Default,,0000,0000,0000,,I'll back up there is a lot of lookup
Dialogue: 0,0:09:38.34,0:09:39.90,Default,,0000,0000,0000,,tables that are loaded in my environment
Dialogue: 0,0:09:39.90,0:09:41.58,Default,,0000,0000,0000,,I am using the Splunk Security
Dialogue: 0,0:09:41.58,0:09:43.74,Default,,0000,0000,0000,,Essentials app it's a free app that you
Dialogue: 0,0:09:43.74,0:09:46.08,Default,,0000,0000,0000,,can also download from Splunk base
Dialogue: 0,0:09:46.08,0:09:48.12,Default,,0000,0000,0000,,you know if you are in that security
Dialogue: 0,0:09:48.12,0:09:50.16,Default,,0000,0000,0000,,business please check it out there's one
Dialogue: 0,0:09:50.16,0:09:53.54,Default,,0000,0000,0000,,for compliance there's one it uh
Dialogue: 0,0:09:53.54,0:09:56.22,Default,,0000,0000,0000,,Essentials so we have a lot of good apps
Dialogue: 0,0:09:56.22,0:09:57.96,Default,,0000,0000,0000,,out there to help you get going
Dialogue: 0,0:09:57.96,0:10:00.44,Default,,0000,0000,0000,,but here I'm going to go
Dialogue: 0,0:10:00.44,0:10:04.98,Default,,0000,0000,0000,,DHCP and you can see the the one CSV
Dialogue: 0,0:10:04.98,0:10:06.96,Default,,0000,0000,0000,,that I have right now
Dialogue: 0,0:10:06.96,0:10:10.26,Default,,0000,0000,0000,,and what we're going to do here is a
Dialogue: 0,0:10:10.26,0:10:12.00,Default,,0000,0000,0000,,base search that has given me the IP
Dialogue: 0,0:10:12.00,0:10:14.64,Default,,0000,0000,0000,,address but I would rather or I need the
Dialogue: 0,0:10:14.64,0:10:16.92,Default,,0000,0000,0000,,host name off to here
Dialogue: 0,0:10:16.92,0:10:20.22,Default,,0000,0000,0000,,luckily for me I have
Dialogue: 0,0:10:20.22,0:10:23.70,Default,,0000,0000,0000,,another data source that I'm using open
Dialogue: 0,0:10:23.70,0:10:26.34,Default,,0000,0000,0000,,sense in a DHCP server
Dialogue: 0,0:10:26.34,0:10:31.64,Default,,0000,0000,0000,,and if I I will go ahead and run this
Dialogue: 0,0:10:32.64,0:10:35.16,Default,,0000,0000,0000,,it will give me the raw logs and In The
Dialogue: 0,0:10:35.16,0:10:37.38,Default,,0000,0000,0000,,Raw logs I have my IP address and it
Dialogue: 0,0:10:37.38,0:10:40.98,Default,,0000,0000,0000,,also has host names in here
Dialogue: 0,0:10:40.98,0:10:42.96,Default,,0000,0000,0000,,and I can look at my interesting Fields
Dialogue: 0,0:10:42.96,0:10:48.12,Default,,0000,0000,0000,,because I have the open sense ta
Dialogue: 0,0:10:48.42,0:10:50.94,Default,,0000,0000,0000,,app that I downloaded but helps me to
Dialogue: 0,0:10:50.94,0:10:52.80,Default,,0000,0000,0000,,parse this data and you can see over
Dialogue: 0,0:10:52.80,0:10:54.54,Default,,0000,0000,0000,,here in interesting Fields I have client
Dialogue: 0,0:10:54.54,0:10:57.84,Default,,0000,0000,0000,,IP Mac and name
Dialogue: 0,0:10:57.84,0:10:59.46,Default,,0000,0000,0000,,so now
Dialogue: 0,0:10:59.46,0:11:01.26,Default,,0000,0000,0000,,I want
Dialogue: 0,0:11:01.26,0:11:04.56,Default,,0000,0000,0000,,to create a lookup table with these
Dialogue: 0,0:11:04.56,0:11:07.34,Default,,0000,0000,0000,,three fields
Dialogue: 0,0:11:07.38,0:11:09.96,Default,,0000,0000,0000,,I'm going to hit the pipe I'm going to
Dialogue: 0,0:11:09.96,0:11:13.38,Default,,0000,0000,0000,,say stats count by
Dialogue: 0,0:11:13.38,0:11:18.60,Default,,0000,0000,0000,,what was that clients underscore name
Dialogue: 0,0:11:18.60,0:11:20.48,Default,,0000,0000,0000,,a client
Dialogue: 0,0:11:20.48,0:11:24.78,Default,,0000,0000,0000,,underscore IP and client underscore Mac
Dialogue: 0,0:11:24.78,0:11:26.76,Default,,0000,0000,0000,,remember your field names are case
Dialogue: 0,0:11:26.76,0:11:29.24,Default,,0000,0000,0000,,sensitive
Dialogue: 0,0:11:30.54,0:11:32.40,Default,,0000,0000,0000,,not the values but the field names
Dialogue: 0,0:11:32.40,0:11:34.20,Default,,0000,0000,0000,,himself are
Dialogue: 0,0:11:34.20,0:11:36.06,Default,,0000,0000,0000,,and once this comes up it should give me
Dialogue: 0,0:11:36.06,0:11:38.76,Default,,0000,0000,0000,,it gives me four columns and if I don't
Dialogue: 0,0:11:38.76,0:11:41.16,Default,,0000,0000,0000,,want to count here in my lookup table
Dialogue: 0,0:11:41.16,0:11:44.40,Default,,0000,0000,0000,,I'm just going to say you know easiest
Dialogue: 0,0:11:44.40,0:11:48.18,Default,,0000,0000,0000,,way Fields negative counts
Dialogue: 0,0:11:48.18,0:11:50.82,Default,,0000,0000,0000,,and that will clean it up and this is
Dialogue: 0,0:11:50.82,0:11:53.52,Default,,0000,0000,0000,,the output that I would like to have
Dialogue: 0,0:11:53.52,0:11:58.20,Default,,0000,0000,0000,,so next I'm going to invoke the output
Dialogue: 0,0:11:58.20,0:12:01.50,Default,,0000,0000,0000,,lookup command so let's click on that
Dialogue: 0,0:12:01.50,0:12:03.78,Default,,0000,0000,0000,,and then I already have in my command
Dialogue: 0,0:12:03.78,0:12:06.30,Default,,0000,0000,0000,,history because I practice this before I
Dialogue: 0,0:12:06.30,0:12:07.44,Default,,0000,0000,0000,,record a video
Dialogue: 0,0:12:07.44,0:12:11.40,Default,,0000,0000,0000,,output lookup DHCP test and if you know
Dialogue: 0,0:12:11.40,0:12:12.90,Default,,0000,0000,0000,,when I'm here
Dialogue: 0,0:12:12.90,0:12:14.40,Default,,0000,0000,0000,,in my
Dialogue: 0,0:12:14.40,0:12:17.40,Default,,0000,0000,0000,,Splunk environment it is not here yet so
Dialogue: 0,0:12:17.40,0:12:19.68,Default,,0000,0000,0000,,let's go ahead and click on that and as
Dialogue: 0,0:12:19.68,0:12:21.18,Default,,0000,0000,0000,,soon as I run this
Dialogue: 0,0:12:21.18,0:12:23.64,Default,,0000,0000,0000,,and I give it a few seconds
Dialogue: 0,0:12:23.64,0:12:25.08,Default,,0000,0000,0000,,there we go
Dialogue: 0,0:12:25.08,0:12:28.20,Default,,0000,0000,0000,,you know I have an output
Dialogue: 0,0:12:28.20,0:12:31.74,Default,,0000,0000,0000,,it may not be a hundred percent but it's
Dialogue: 0,0:12:31.74,0:12:34.08,Default,,0000,0000,0000,,a start you don't have to build
Dialogue: 0,0:12:34.08,0:12:35.88,Default,,0000,0000,0000,,everything from scratch
Dialogue: 0,0:12:35.88,0:12:37.86,Default,,0000,0000,0000,,so I can have this here and start
Dialogue: 0,0:12:37.86,0:12:40.26,Default,,0000,0000,0000,,editing this
Dialogue: 0,0:12:40.26,0:12:42.60,Default,,0000,0000,0000,,um lookup table with the file lookup
Dialogue: 0,0:12:42.60,0:12:45.12,Default,,0000,0000,0000,,editor so I 100 recommend downloading
Dialogue: 0,0:12:45.12,0:12:47.34,Default,,0000,0000,0000,,that app to look you know edit the
Dialogue: 0,0:12:47.34,0:12:50.40,Default,,0000,0000,0000,,lookup tables because if you don't you'd
Dialogue: 0,0:12:50.40,0:12:52.62,Default,,0000,0000,0000,,have to be in the business of pulling
Dialogue: 0,0:12:52.62,0:12:56.34,Default,,0000,0000,0000,,that look up table from your Splunk
Dialogue: 0,0:12:56.34,0:12:59.34,Default,,0000,0000,0000,,index or search heads bring it down to
Dialogue: 0,0:12:59.34,0:13:02.28,Default,,0000,0000,0000,,your computer edit it or log into the
Dialogue: 0,0:13:02.28,0:13:04.98,Default,,0000,0000,0000,,box and edit it manually like that so
Dialogue: 0,0:13:04.98,0:13:07.08,Default,,0000,0000,0000,,the lookup editor is definitely one of
Dialogue: 0,0:13:07.08,0:13:07.98,Default,,0000,0000,0000,,the
Dialogue: 0,0:13:07.98,0:13:10.20,Default,,0000,0000,0000,,first apps that I install on a fresh
Dialogue: 0,0:13:10.20,0:13:12.66,Default,,0000,0000,0000,,Splunk install but here you can see I
Dialogue: 0,0:13:12.66,0:13:15.06,Default,,0000,0000,0000,,have you know tab a and tab a oh which
Dialogue: 0,0:13:15.06,0:13:16.08,Default,,0000,0000,0000,,one are there two different Mac
Dialogue: 0,0:13:16.08,0:13:19.08,Default,,0000,0000,0000,,addresses two different IPS my kids both
Dialogue: 0,0:13:19.08,0:13:21.36,Default,,0000,0000,0000,,have a tablet so if I wanted to know
Dialogue: 0,0:13:21.36,0:13:23.34,Default,,0000,0000,0000,,which tablet is which you know grab the
Dialogue: 0,0:13:23.34,0:13:24.60,Default,,0000,0000,0000,,tablet
Dialogue: 0,0:13:24.60,0:13:27.36,Default,,0000,0000,0000,,you know look up the MAC address and
Dialogue: 0,0:13:27.36,0:13:28.68,Default,,0000,0000,0000,,make sure I know which one it is and
Dialogue: 0,0:13:28.68,0:13:30.66,Default,,0000,0000,0000,,update my lookup table so if we go back
Dialogue: 0,0:13:30.66,0:13:31.74,Default,,0000,0000,0000,,here to
Dialogue: 0,0:13:31.74,0:13:35.34,Default,,0000,0000,0000,,this lookup app the Splunk app for uh
Dialogue: 0,0:13:35.34,0:13:38.22,Default,,0000,0000,0000,,look lookup file editing and re-run this
Dialogue: 0,0:13:38.22,0:13:39.18,Default,,0000,0000,0000,,search
Dialogue: 0,0:13:39.18,0:13:42.62,Default,,0000,0000,0000,,let's see here just hit refresh
Dialogue: 0,0:13:43.08,0:13:46.50,Default,,0000,0000,0000,,and I'll have to put in DHCP again there
Dialogue: 0,0:13:46.50,0:13:48.90,Default,,0000,0000,0000,,is that lookup table
Dialogue: 0,0:13:48.90,0:13:51.54,Default,,0000,0000,0000,,and if I wanted to I can just click in
Dialogue: 0,0:13:51.54,0:13:53.28,Default,,0000,0000,0000,,here
Dialogue: 0,0:13:53.28,0:13:54.84,Default,,0000,0000,0000,,and now
Dialogue: 0,0:13:54.84,0:13:58.86,Default,,0000,0000,0000,,I can start editing this lookup file so
Dialogue: 0,0:13:58.86,0:14:02.52,Default,,0000,0000,0000,,I like this device here is you know
Dialogue: 0,0:14:02.52,0:14:05.42,Default,,0000,0000,0000,,my work
Dialogue: 0,0:14:06.00,0:14:08.84,Default,,0000,0000,0000,,underscore
Dialogue: 0,0:14:08.88,0:14:11.16,Default,,0000,0000,0000,,you know laptop
Dialogue: 0,0:14:11.16,0:14:13.44,Default,,0000,0000,0000,,you know this is
Dialogue: 0,0:14:13.44,0:14:16.02,Default,,0000,0000,0000,,you know Dash child
Dialogue: 0,0:14:16.02,0:14:18.36,Default,,0000,0000,0000,,one
Dialogue: 0,0:14:18.36,0:14:20.28,Default,,0000,0000,0000,,and then we have
Dialogue: 0,0:14:20.28,0:14:23.70,Default,,0000,0000,0000,,Dash child two
Dialogue: 0,0:14:23.70,0:14:25.74,Default,,0000,0000,0000,,click save you know we can add more
Dialogue: 0,0:14:25.74,0:14:27.96,Default,,0000,0000,0000,,columns so if I know
Dialogue: 0,0:14:27.96,0:14:30.60,Default,,0000,0000,0000,,um like right now none of my firewall
Dialogue: 0,0:14:30.60,0:14:34.20,Default,,0000,0000,0000,,ports are showing up so I could say
Dialogue: 0,0:14:34.20,0:14:36.72,Default,,0000,0000,0000,,firewall
Dialogue: 0,0:14:36.72,0:14:39.24,Default,,0000,0000,0000,,and if I have the IP address I can put
Dialogue: 0,0:14:39.24,0:14:40.44,Default,,0000,0000,0000,,that in there and if I had the MAC
Dialogue: 0,0:14:40.44,0:14:42.56,Default,,0000,0000,0000,,address
Dialogue: 0,0:14:42.56,0:14:46.26,Default,,0000,0000,0000,,dot you know 1.1
Dialogue: 0,0:14:46.26,0:14:49.38,Default,,0000,0000,0000,,Let's uh sure
Dialogue: 0,0:14:49.38,0:14:51.06,Default,,0000,0000,0000,,just for fun because it doesn't matter
Dialogue: 0,0:14:51.06,0:14:55.32,Default,,0000,0000,0000,,I'll just plug this in and you know call
Dialogue: 0,0:14:55.32,0:14:57.24,Default,,0000,0000,0000,,it 99.
Dialogue: 0,0:14:57.24,0:14:58.86,Default,,0000,0000,0000,,save
Dialogue: 0,0:14:58.86,0:15:01.56,Default,,0000,0000,0000,,now when I come back over here
Dialogue: 0,0:15:01.56,0:15:04.14,Default,,0000,0000,0000,,and I rerun this
Dialogue: 0,0:15:04.14,0:15:06.60,Default,,0000,0000,0000,,um well actually if I rerun this ooh
Dialogue: 0,0:15:06.60,0:15:08.76,Default,,0000,0000,0000,,almost messed up if I rerun this it'll
Dialogue: 0,0:15:08.76,0:15:10.92,Default,,0000,0000,0000,,overwrite the changes well I'll show you
Dialogue: 0,0:15:10.92,0:15:14.66,Default,,0000,0000,0000,,that let's see here bam
Dialogue: 0,0:15:16.68,0:15:18.36,Default,,0000,0000,0000,,foreign
Dialogue: 0,0:15:18.36,0:15:22.20,Default,,0000,0000,0000,,if I go back over here click lookups
Dialogue: 0,0:15:22.20,0:15:25.86,Default,,0000,0000,0000,,refresh this let's see I'll do another
Dialogue: 0,0:15:25.86,0:15:27.72,Default,,0000,0000,0000,,refresh here
Dialogue: 0,0:15:27.72,0:15:31.04,Default,,0000,0000,0000,,and I'll type in DHCP
Dialogue: 0,0:15:31.04,0:15:34.98,Default,,0000,0000,0000,,and click DHCP test
Dialogue: 0,0:15:34.98,0:15:38.46,Default,,0000,0000,0000,,you can see those changes I made are
Dialogue: 0,0:15:38.46,0:15:42.42,Default,,0000,0000,0000,,gone now so be careful with that command
Dialogue: 0,0:15:42.42,0:15:44.40,Default,,0000,0000,0000,,with the output lookup
Dialogue: 0,0:15:44.40,0:15:45.06,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:15:45.06,0:15:46.08,Default,,0000,0000,0000,,um
Dialogue: 0,0:15:46.08,0:15:48.96,Default,,0000,0000,0000,,so yeah let's I'll do this time I'll
Dialogue: 0,0:15:48.96,0:15:51.66,Default,,0000,0000,0000,,just do this one here and I'll say you
Dialogue: 0,0:15:51.66,0:15:53.22,Default,,0000,0000,0000,,know work
Dialogue: 0,0:15:53.22,0:15:55.02,Default,,0000,0000,0000,,laptop
Dialogue: 0,0:15:55.02,0:15:57.06,Default,,0000,0000,0000,,and you know I just want to show you
Dialogue: 0,0:15:57.06,0:15:58.98,Default,,0000,0000,0000,,that you know
Dialogue: 0,0:15:58.98,0:16:01.88,Default,,0000,0000,0000,,one
Dialogue: 0,0:16:02.04,0:16:04.98,Default,,0000,0000,0000,,and then Dash two that it does work when
Dialogue: 0,0:16:04.98,0:16:06.90,Default,,0000,0000,0000,,you click save lookup
Dialogue: 0,0:16:06.90,0:16:10.46,Default,,0000,0000,0000,,and what I can do is come here and
Dialogue: 0,0:16:10.46,0:16:13.08,Default,,0000,0000,0000,,actually I will
Dialogue: 0,0:16:13.08,0:16:16.28,Default,,0000,0000,0000,,open a new search
Dialogue: 0,0:16:16.44,0:16:20.64,Default,,0000,0000,0000,,and do a pipe input look up
Dialogue: 0,0:16:20.64,0:16:22.44,Default,,0000,0000,0000,,DH
Dialogue: 0,0:16:22.44,0:16:23.72,Default,,0000,0000,0000,,yeah
Dialogue: 0,0:16:23.72,0:16:26.64,Default,,0000,0000,0000,,DHCP underscore test
Dialogue: 0,0:16:26.64,0:16:30.02,Default,,0000,0000,0000,,not CSV
Dialogue: 0,0:16:31.50,0:16:34.62,Default,,0000,0000,0000,,and you can see now instead of
Dialogue: 0,0:16:34.62,0:16:37.08,Default,,0000,0000,0000,,um what it was before I get my work
Dialogue: 0,0:16:37.08,0:16:40.94,Default,,0000,0000,0000,,laptop and now I have one and two
Dialogue: 0,0:16:42.78,0:16:45.96,Default,,0000,0000,0000,,and then for this here you know I can
Dialogue: 0,0:16:45.96,0:16:48.36,Default,,0000,0000,0000,,easily come back you know come back to
Dialogue: 0,0:16:48.36,0:16:52.02,Default,,0000,0000,0000,,my previous search or I can type it out
Dialogue: 0,0:16:52.02,0:16:53.82,Default,,0000,0000,0000,,here I think I've got it copied over
Dialogue: 0,0:16:53.82,0:16:54.78,Default,,0000,0000,0000,,here
Dialogue: 0,0:16:54.78,0:16:59.66,Default,,0000,0000,0000,,you know now I can you know quickly
Dialogue: 0,0:16:59.90,0:17:02.82,Default,,0000,0000,0000,,oops got to get rid of the extra pipe
Dialogue: 0,0:17:02.82,0:17:05.22,Default,,0000,0000,0000,,when I copied it
Dialogue: 0,0:17:05.22,0:17:08.12,Default,,0000,0000,0000,,and then
Dialogue: 0,0:17:10.20,0:17:12.90,Default,,0000,0000,0000,,actually what I'll do is
Dialogue: 0,0:17:12.90,0:17:15.18,Default,,0000,0000,0000,,fields
Dialogue: 0,0:17:15.18,0:17:18.72,Default,,0000,0000,0000,,and say dust underscore IP
Dialogue: 0,0:17:18.72,0:17:23.70,Default,,0000,0000,0000,,and then stats count by dust underscore
Dialogue: 0,0:17:23.70,0:17:27.14,Default,,0000,0000,0000,,IP host name
Dialogue: 0,0:17:32.58,0:17:34.14,Default,,0000,0000,0000,,and voila
Dialogue: 0,0:17:34.14,0:17:36.54,Default,,0000,0000,0000,,so you can see
Dialogue: 0,0:17:36.54,0:17:38.46,Default,,0000,0000,0000,,where it's grabbing that information oh
Dialogue: 0,0:17:38.46,0:17:41.06,Default,,0000,0000,0000,,I got the wrong
Dialogue: 0,0:17:41.84,0:17:43.80,Default,,0000,0000,0000,,DHCP
Dialogue: 0,0:17:43.80,0:17:48.62,Default,,0000,0000,0000,,underscore test dot CSV
Dialogue: 0,0:17:54.06,0:17:55.62,Default,,0000,0000,0000,,oh
Dialogue: 0,0:17:55.62,0:17:59.52,Default,,0000,0000,0000,,and you can see I have IP here
Dialogue: 0,0:17:59.52,0:18:02.46,Default,,0000,0000,0000,,and what I needed to do was actually go
Dialogue: 0,0:18:02.46,0:18:04.50,Default,,0000,0000,0000,,back to my lookup table
Dialogue: 0,0:18:04.50,0:18:07.40,Default,,0000,0000,0000,,and say
Dialogue: 0,0:18:07.44,0:18:11.96,Default,,0000,0000,0000,,client underscore IP
Dialogue: 0,0:18:12.24,0:18:15.48,Default,,0000,0000,0000,,and then I believe it's the first one
Dialogue: 0,0:18:15.48,0:18:18.12,Default,,0000,0000,0000,,here so let's just test that out
Dialogue: 0,0:18:18.12,0:18:19.68,Default,,0000,0000,0000,,client
Dialogue: 0,0:18:19.68,0:18:22.80,Default,,0000,0000,0000,,what did I call that field again
Dialogue: 0,0:18:22.80,0:18:24.68,Default,,0000,0000,0000,,client name
Dialogue: 0,0:18:24.68,0:18:28.68,Default,,0000,0000,0000,,underscore name
Dialogue: 0,0:18:31.26,0:18:34.32,Default,,0000,0000,0000,,and there you go see there's the 133
Dialogue: 0,0:18:34.32,0:18:37.44,Default,,0000,0000,0000,,which was the A1 and in there is my work
Dialogue: 0,0:18:37.44,0:18:39.90,Default,,0000,0000,0000,,laptop so you got to see you got to see
Dialogue: 0,0:18:39.90,0:18:41.46,Default,,0000,0000,0000,,me fail
Dialogue: 0,0:18:41.46,0:18:44.46,Default,,0000,0000,0000,,with the field names but that's a good
Dialogue: 0,0:18:44.46,0:18:46.74,Default,,0000,0000,0000,,thing because then you saw where you
Dialogue: 0,0:18:46.74,0:18:49.08,Default,,0000,0000,0000,,know the first field is in your lookup
Dialogue: 0,0:18:49.08,0:18:51.96,Default,,0000,0000,0000,,table to match in your search results
Dialogue: 0,0:18:51.96,0:18:54.06,Default,,0000,0000,0000,,you know so the client IP as destination
Dialogue: 0,0:18:54.06,0:18:56.34,Default,,0000,0000,0000,,IP and then the client name as hostname
Dialogue: 0,0:18:56.34,0:18:59.76,Default,,0000,0000,0000,,so instead of it coming out as a client
Dialogue: 0,0:18:59.76,0:19:02.34,Default,,0000,0000,0000,,name I have it as you can you know I
Dialogue: 0,0:19:02.34,0:19:05.70,Default,,0000,0000,0000,,could have easily done this
Dialogue: 0,0:19:05.70,0:19:09.60,Default,,0000,0000,0000,,and say client underscore name
Dialogue: 0,0:19:09.60,0:19:12.68,Default,,0000,0000,0000,,if I wanted to
Dialogue: 0,0:19:12.90,0:19:14.64,Default,,0000,0000,0000,,you know if that makes more sense for
Dialogue: 0,0:19:14.64,0:19:17.12,Default,,0000,0000,0000,,you as well
Dialogue: 0,0:19:17.82,0:19:19.62,Default,,0000,0000,0000,,and once you've defined that lookup
Dialogue: 0,0:19:19.62,0:19:21.54,Default,,0000,0000,0000,,table and you've got it incorporated
Dialogue: 0,0:19:21.54,0:19:24.12,Default,,0000,0000,0000,,into Splunk you know we can start adding
Dialogue: 0,0:19:24.12,0:19:26.28,Default,,0000,0000,0000,,that information to dashboards you may
Dialogue: 0,0:19:26.28,0:19:29.16,Default,,0000,0000,0000,,have built or other reports so here is a
Dialogue: 0,0:19:29.16,0:19:31.74,Default,,0000,0000,0000,,a dashboard that I created that looks at
Dialogue: 0,0:19:31.74,0:19:35.22,Default,,0000,0000,0000,,all the you know devices in my network
Dialogue: 0,0:19:35.22,0:19:37.80,Default,,0000,0000,0000,,I use my information my data from the
Dialogue: 0,0:19:37.80,0:19:40.44,Default,,0000,0000,0000,,DHCP server and compare it to the lookup
Dialogue: 0,0:19:40.44,0:19:42.84,Default,,0000,0000,0000,,table to see if there's any changes you
Dialogue: 0,0:19:42.84,0:19:46.08,Default,,0000,0000,0000,,know if a new device grabbed a an IP on
Dialogue: 0,0:19:46.08,0:19:49.32,Default,,0000,0000,0000,,my network that I didn't know about you
Dialogue: 0,0:19:49.32,0:19:51.00,Default,,0000,0000,0000,,know I could set up alerts around this
Dialogue: 0,0:19:51.00,0:19:53.70,Default,,0000,0000,0000,,you know for example I do have one here
Dialogue: 0,0:19:53.70,0:19:58.32,Default,,0000,0000,0000,,for uh you know what so anytime a new
Dialogue: 0,0:19:58.32,0:20:00.36,Default,,0000,0000,0000,,device comes on here and it does not
Dialogue: 0,0:20:00.36,0:20:03.66,Default,,0000,0000,0000,,find a match it actually outputs the
Dialogue: 0,0:20:03.66,0:20:07.02,Default,,0000,0000,0000,,name what so that I can go hey what is
Dialogue: 0,0:20:07.02,0:20:07.92,Default,,0000,0000,0000,,this
Dialogue: 0,0:20:07.92,0:20:11.76,Default,,0000,0000,0000,,yeah and what is this so Nintendo 3DS
Dialogue: 0,0:20:11.76,0:20:13.92,Default,,0000,0000,0000,,so one of my kids found you know they
Dialogue: 0,0:20:13.92,0:20:16.20,Default,,0000,0000,0000,,must have turned on their 3DS they
Dialogue: 0,0:20:16.20,0:20:18.36,Default,,0000,0000,0000,,haven't used in a while so I'm gonna go
Dialogue: 0,0:20:18.36,0:20:21.36,Default,,0000,0000,0000,,edit my lookup table and here's the MAC
Dialogue: 0,0:20:21.36,0:20:23.34,Default,,0000,0000,0000,,address so let's go see if it's already
Dialogue: 0,0:20:23.34,0:20:26.52,Default,,0000,0000,0000,,in that look up table and not this one
Dialogue: 0,0:20:26.52,0:20:28.88,Default,,0000,0000,0000,,so I'm going to click lookups here and
Dialogue: 0,0:20:28.88,0:20:34.68,Default,,0000,0000,0000,,go back into uh Hall DHCP leases
Dialogue: 0,0:20:34.68,0:20:37.14,Default,,0000,0000,0000,,and I can either do a filtered search
Dialogue: 0,0:20:37.14,0:20:38.88,Default,,0000,0000,0000,,for nin
Dialogue: 0,0:20:38.88,0:20:41.46,Default,,0000,0000,0000,,and I have one here for an Nintendo 3DS
Dialogue: 0,0:20:41.46,0:20:44.34,Default,,0000,0000,0000,,but that's a different Mac address
Dialogue: 0,0:20:44.34,0:20:46.86,Default,,0000,0000,0000,,so let's just add this one in place
Dialogue: 0,0:20:46.86,0:20:48.96,Default,,0000,0000,0000,,because I know there should be two of
Dialogue: 0,0:20:48.96,0:20:49.92,Default,,0000,0000,0000,,them
Dialogue: 0,0:20:49.92,0:20:52.14,Default,,0000,0000,0000,,so I'll just you know insert a row
Dialogue: 0,0:20:52.14,0:20:53.70,Default,,0000,0000,0000,,afterwards
Dialogue: 0,0:20:53.70,0:20:57.84,Default,,0000,0000,0000,,and we'll call this one Nintendo we'll
Dialogue: 0,0:20:57.84,0:20:59.58,Default,,0000,0000,0000,,say three
Dialogue: 0,0:20:59.58,0:21:02.96,Default,,0000,0000,0000,,yeah three DS
Dialogue: 0,0:21:03.12,0:21:04.98,Default,,0000,0000,0000,,two
Dialogue: 0,0:21:04.98,0:21:07.80,Default,,0000,0000,0000,,and we'll give it yeah we can see there
Dialogue: 0,0:21:07.80,0:21:10.14,Default,,0000,0000,0000,,it is the different Mac address
Dialogue: 0,0:21:10.14,0:21:12.42,Default,,0000,0000,0000,,and then what IP address did it grab so
Dialogue: 0,0:21:12.42,0:21:14.10,Default,,0000,0000,0000,,I'll just grab this IP address because
Dialogue: 0,0:21:14.10,0:21:17.04,Default,,0000,0000,0000,,that's what my DHCP server has
Dialogue: 0,0:21:17.04,0:21:19.80,Default,,0000,0000,0000,,and we will go back over here
Dialogue: 0,0:21:19.80,0:21:22.92,Default,,0000,0000,0000,,and we'll say this I'm going to click
Dialogue: 0,0:21:22.92,0:21:25.58,Default,,0000,0000,0000,,save lookup
Dialogue: 0,0:21:25.62,0:21:28.56,Default,,0000,0000,0000,,all right and after clicking save look
Dialogue: 0,0:21:28.56,0:21:30.72,Default,,0000,0000,0000,,up I should be able to go back to my
Dialogue: 0,0:21:30.72,0:21:31.80,Default,,0000,0000,0000,,dashboard
Dialogue: 0,0:21:31.80,0:21:35.30,Default,,0000,0000,0000,,and I'll just do a refresh
Dialogue: 0,0:21:35.88,0:21:38.88,Default,,0000,0000,0000,,click okay didn't have to click submit
Dialogue: 0,0:21:38.88,0:21:42.30,Default,,0000,0000,0000,,and it should not have anything in the
Dialogue: 0,0:21:42.30,0:21:45.06,Default,,0000,0000,0000,,red column and
Dialogue: 0,0:21:45.06,0:21:47.96,Default,,0000,0000,0000,,there we go
Dialogue: 0,0:21:53.88,0:21:55.92,Default,,0000,0000,0000,,oh
Dialogue: 0,0:21:55.92,0:21:59.22,Default,,0000,0000,0000,,interesting so now I need to
Dialogue: 0,0:21:59.22,0:22:01.26,Default,,0000,0000,0000,,as a client name and a host name is
Dialogue: 0,0:22:01.26,0:22:03.60,Default,,0000,0000,0000,,different so I'll play around with this
Dialogue: 0,0:22:03.60,0:22:04.50,Default,,0000,0000,0000,,some more
Dialogue: 0,0:22:04.50,0:22:06.54,Default,,0000,0000,0000,,should be the same well client name is
Dialogue: 0,0:22:06.54,0:22:09.12,Default,,0000,0000,0000,,what my DHCP server sees it and then
Dialogue: 0,0:22:09.12,0:22:11.82,Default,,0000,0000,0000,,this is the name I gave it so I'll have
Dialogue: 0,0:22:11.82,0:22:14.94,Default,,0000,0000,0000,,to go now go get the kids devices and
Dialogue: 0,0:22:14.94,0:22:16.76,Default,,0000,0000,0000,,make sure that I don't have a rogue
Dialogue: 0,0:22:16.76,0:22:19.80,Default,,0000,0000,0000,,Nintendo 3DS on my network which I I
Dialogue: 0,0:22:19.80,0:22:22.14,Default,,0000,0000,0000,,doubt it I know we have two of them
Dialogue: 0,0:22:22.14,0:22:25.44,Default,,0000,0000,0000,,so hopefully this uh video was helpful
Dialogue: 0,0:22:25.44,0:22:28.02,Default,,0000,0000,0000,,in introducing you to lookups and the
Dialogue: 0,0:22:28.02,0:22:30.24,Default,,0000,0000,0000,,power of them if you have any questions
Dialogue: 0,0:22:30.24,0:22:32.52,Default,,0000,0000,0000,,or comments please please leave them
Dialogue: 0,0:22:32.52,0:22:36.80,Default,,0000,0000,0000,,below and uh Happy spelunking