WEBVTT 00:00:01.560 --> 00:00:03.720 Hi, Travis with Splunk here. 00:00:03.720 --> 00:00:06.180 In this video, I want to go over look up 00:00:06.180 --> 00:00:09.059 tables and give you an example of how I 00:00:09.059 --> 00:00:11.460 use lookup tables. 00:00:11.460 --> 00:00:14.880 I've pulled up a search here that shows 00:00:14.880 --> 00:00:16.800 the you know activity of the different 00:00:16.800 --> 00:00:19.440 devices on my home network. 00:00:19.440 --> 00:00:22.260 I can see there is a spike in data and 00:00:22.260 --> 00:00:24.900 instead of me having to remember you 00:00:24.900 --> 00:00:26.580 know the IP address 00:00:26.580 --> 00:00:29.580 of that device. I can have a lookup table 00:00:29.580 --> 00:00:32.579 translate that IP to a host name so that 00:00:32.579 --> 00:00:35.579 when I hover over this Spike of data 00:00:35.579 --> 00:00:37.680 you know I get a name instead of an IP 00:00:37.680 --> 00:00:38.700 address, 00:00:38.700 --> 00:00:40.559 and this is very helpful because I don't 00:00:40.559 --> 00:00:42.300 want to remember all the IP addresses 00:00:42.300 --> 00:00:46.500 for all the 30 plus devices that are you 00:00:46.500 --> 00:00:48.120 know in my house or in my home 00:00:48.120 --> 00:00:50.600 environment. 00:00:50.640 --> 00:00:52.920 So if you're new to Splunk or you're 00:00:52.920 --> 00:00:54.480 sitting here going look up tables. Why 00:00:54.480 --> 00:00:55.800 are they important? What are you talking 00:00:55.800 --> 00:00:58.920 about, Travis? Let's go to your favorite 00:00:58.920 --> 00:01:01.800 search engine, whatever you want to use, 00:01:01.800 --> 00:01:05.939 and do a search on Splunk lookup tables; 00:01:05.939 --> 00:01:07.939 give you ways to find more information 00:01:07.939 --> 00:01:11.100 and use our documentation. I find. you 00:01:11.100 --> 00:01:12.900 know, doing a search in your favorite 00:01:12.900 --> 00:01:14.780 search engine 00:01:14.780 --> 00:01:17.280 is the easiest way to find stuff in our 00:01:17.280 --> 00:01:20.280 documentation. So the first result is a 00:01:20.280 --> 00:01:22.799 lookup command, 00:01:22.799 --> 00:01:24.720 I am using that lookup command in 00:01:24.720 --> 00:01:26.460 this search, 00:01:26.460 --> 00:01:28.259 and then if we go back here the second 00:01:28.259 --> 00:01:30.659 one is about lookups, and then there's 00:01:30.659 --> 00:01:33.500 other, you know, lookup command examples 00:01:33.500 --> 00:01:36.000 there is you know how to use lookup 00:01:36.000 --> 00:01:38.880 table the, you know, Splunk Community. 00:01:38.880 --> 00:01:41.400 Splunk answers, but I'm going to go into 00:01:41.400 --> 00:01:43.939 this about lookups, Splunk documentation 00:01:43.939 --> 00:01:46.439 and show you more information about the 00:01:46.439 --> 00:01:47.579 lookup table 00:01:47.579 --> 00:01:50.340 here, you know what is a lookup way to 00:01:50.340 --> 00:01:52.860 enrich your data that you are collecting 00:01:52.860 --> 00:01:56.060 you know the four types of lookup CSV 00:01:56.060 --> 00:02:00.180 external KV store and even Geo, 00:02:00.180 --> 00:02:02.520 and then how you know more information 00:02:02.520 --> 00:02:04.560 about each one of those four types of 00:02:04.560 --> 00:02:08.160 lookup tables. I'm going to focus on CSV 00:02:08.160 --> 00:02:09.539 today, 00:02:09.539 --> 00:02:13.200 and here we have a link to you know how 00:02:13.200 --> 00:02:15.660 can I create and bring a lookup table 00:02:15.660 --> 00:02:18.599 into Splunk using the the web GUI or if 00:02:18.599 --> 00:02:19.680 you like, 00:02:19.680 --> 00:02:21.420 you know, using the configuration file 00:02:21.420 --> 00:02:23.879 CLI you know there's a link for that, but 00:02:23.879 --> 00:02:26.700 for today, we are going to go into 00:02:26.700 --> 00:02:30.420 this link here which defines a CSV 00:02:30.420 --> 00:02:32.520 lookup gives you more information about 00:02:32.520 --> 00:02:35.760 that CSV file, and then how to upload 00:02:35.760 --> 00:02:38.459 that file. And if you need an example of 00:02:38.459 --> 00:02:41.760 a lookup table, you know, we have see look 00:02:41.760 --> 00:02:43.920 up for an example you know this lookup 00:02:43.920 --> 00:02:45.959 is a hyperlink, 00:02:45.959 --> 00:02:48.780 and we can drill down even further and 00:02:48.780 --> 00:02:51.300 see examples of a lookup table. 00:02:51.300 --> 00:02:54.180 An example that we provide is a HTTP 00:02:54.180 --> 00:02:57.800 status code I say we Splunk, 00:02:57.800 --> 00:02:59.940 and you can go ahead and download that 00:02:59.940 --> 00:03:02.160 so you can see it or just review the 00:03:02.160 --> 00:03:05.459 sample that Splunk has provided. Where it 00:03:05.459 --> 00:03:07.800 shows the header field, you know, status 00:03:07.800 --> 00:03:10.440 comma status description comma status 00:03:10.440 --> 00:03:11.519 type 00:03:11.519 --> 00:03:14.280 and then values that are associated with 00:03:14.280 --> 00:03:16.500 the header field and it's all comma 00:03:16.500 --> 00:03:18.959 separated and no spaces. 00:03:18.959 --> 00:03:21.360 So you can see like 200 okay. And 00:03:21.360 --> 00:03:24.239 successful and you know three different 00:03:24.239 --> 00:03:26.159 header fields, 00:03:26.159 --> 00:03:28.560 and then the steps two 00:03:28.560 --> 00:03:30.720 go ahead and 00:03:30.720 --> 00:03:33.780 uh add those lookup tables into your 00:03:33.780 --> 00:03:36.379 Splunk web. 00:03:36.540 --> 00:03:40.140 So let's take one step back here, 00:03:40.140 --> 00:03:42.060 you know, in here, you know more 00:03:42.060 --> 00:03:44.220 information about lookup tables and how 00:03:44.220 --> 00:03:45.900 to get that in there. 00:03:45.900 --> 00:03:48.540 So just take some time and go through 00:03:48.540 --> 00:03:49.799 all of this, 00:03:49.799 --> 00:03:51.420 you know, I could probably spend an hour 00:03:51.420 --> 00:03:53.640 on lookup tables, 00:03:53.640 --> 00:03:56.040 but what I'm going to do is also you 00:03:56.040 --> 00:03:57.360 know scroll down here because there's 00:03:57.360 --> 00:03:59.220 something else I want to show. This is 00:03:59.220 --> 00:04:01.980 back to the about lookups and if I 00:04:01.980 --> 00:04:03.599 scroll down you know more lookup table 00:04:03.599 --> 00:04:05.700 definition automatic lookups. This is 00:04:05.700 --> 00:04:08.760 great. So instead of having to invoke 00:04:08.760 --> 00:04:11.040 that lookup command and during the 00:04:11.040 --> 00:04:13.260 search, I can go ahead and set up an 00:04:13.260 --> 00:04:14.879 automatic lookup 00:04:14.879 --> 00:04:18.120 that will be invoked at search time and 00:04:18.120 --> 00:04:19.799 bring that information in that you would 00:04:19.799 --> 00:04:21.979 need. 00:04:22.019 --> 00:04:24.900 So last thing I'm going to talk about on 00:04:24.900 --> 00:04:28.560 this page is commands and lookups. There 00:04:28.560 --> 00:04:31.440 is three commands that are related to 00:04:31.440 --> 00:04:33.660 lookup tables. 00:04:33.660 --> 00:04:35.639 I've already shown and 00:04:35.639 --> 00:04:38.280 look up, but there's also input lookup 00:04:38.280 --> 00:04:40.620 and output lookup. 00:04:40.620 --> 00:04:43.139 So you can manually create your lookup 00:04:43.139 --> 00:04:46.560 file or we can actually use the output 00:04:46.560 --> 00:04:49.440 lookup in a Splunk search to create a 00:04:49.440 --> 00:04:51.300 lookup table 00:04:51.300 --> 00:04:54.360 to get that information into Splunk. So 00:04:54.360 --> 00:04:56.040 you can use it with other Splunk 00:04:56.040 --> 00:04:58.500 searches, and I will go over and we're 00:04:58.500 --> 00:05:01.500 going to build that out today. 00:05:01.500 --> 00:05:03.419 So let's back up 00:05:03.419 --> 00:05:05.340 here's that where I'm using the lookup 00:05:05.340 --> 00:05:06.540 command there 00:05:06.540 --> 00:05:10.500 with this lookup table, 00:05:10.500 --> 00:05:12.660 we have a couple different ways of be 00:05:12.660 --> 00:05:15.720 able to look at what data is in that 00:05:15.720 --> 00:05:18.600 lookup table at CSV file and that's that 00:05:18.600 --> 00:05:22.080 input lookup command is one way, 00:05:22.080 --> 00:05:24.600 and then there's an app that you can 00:05:24.600 --> 00:05:26.699 download. So let me show off the input 00:05:26.699 --> 00:05:29.340 lookup command real quick. So input look 00:05:29.340 --> 00:05:31.320 up and you can see I've already used 00:05:31.320 --> 00:05:33.419 this command before, 00:05:33.419 --> 00:05:35.759 and before I go any further, 00:05:35.759 --> 00:05:38.759 if you like how you know I get you know 00:05:38.759 --> 00:05:40.620 I'll click input lookup, if you like how 00:05:40.620 --> 00:05:41.940 I'm getting a lot of information over 00:05:41.940 --> 00:05:43.680 here and if you're not getting this much 00:05:43.680 --> 00:05:46.199 information like when I click more 00:05:46.199 --> 00:05:48.600 you'll go up to administrator or you 00:05:48.600 --> 00:05:50.280 know whoever you're logged in as your 00:05:50.280 --> 00:05:53.759 user account name. Go to preferences 00:05:53.759 --> 00:05:57.479 and then SPL editor and you can change 00:05:57.479 --> 00:05:59.400 this on your account for your preference. 00:05:59.400 --> 00:06:01.979 It's where it you know Splunk by default 00:06:01.979 --> 00:06:04.080 will have it on Compact and you can 00:06:04.080 --> 00:06:05.520 select full, 00:06:05.520 --> 00:06:08.280 and then uh if you've ever noticed when 00:06:08.280 --> 00:06:11.160 I hit the pipe, 00:06:11.160 --> 00:06:13.740 it drops down a new line. That's this 00:06:13.740 --> 00:06:17.580 search auto format. So I select it. So it 00:06:17.580 --> 00:06:19.259 automatically drops a new line every 00:06:19.259 --> 00:06:21.419 time, and you'll probably see that here 00:06:21.419 --> 00:06:23.580 in a minute. So I'm going to go ahead and 00:06:23.580 --> 00:06:27.120 hit cancel. So I have input lookup and 00:06:27.120 --> 00:06:29.520 what was that Hall, yep. 00:06:29.520 --> 00:06:31.440 I've already got it there. So I'll just 00:06:31.440 --> 00:06:33.900 click on that and click run. 00:06:33.900 --> 00:06:37.500 So all this command does is bring the 00:06:37.500 --> 00:06:40.620 data into a Splunk search so I can view 00:06:40.620 --> 00:06:41.520 it. 00:06:41.520 --> 00:06:44.520 This is a CSV file that I have uploaded 00:06:44.520 --> 00:06:47.699 I have edited and made adjustments to it, 00:06:47.699 --> 00:06:50.280 and this is a CSV file that is being 00:06:50.280 --> 00:06:52.860 used in this search to where my 00:06:52.860 --> 00:06:54.900 destination IP will go down here if it 00:06:54.900 --> 00:06:58.620 makes a match. It outputs me the hostname, 00:06:58.620 --> 00:07:01.680 now the other way that we can edit this 00:07:01.680 --> 00:07:02.880 file 00:07:02.880 --> 00:07:06.720 is an app, and do I have that up? Nope. So 00:07:06.720 --> 00:07:08.580 we'll go here, apps, 00:07:08.580 --> 00:07:10.860 and we're going to go to Splunk app for 00:07:10.860 --> 00:07:13.639 lookup file, 00:07:13.800 --> 00:07:15.780 and this is an app that I've downloaded 00:07:15.780 --> 00:07:17.520 off of Splunk base. 00:07:17.520 --> 00:07:21.180 If you've never, I'll back up or before I 00:07:21.180 --> 00:07:22.139 go too much further if you've never 00:07:22.139 --> 00:07:23.940 heard of Splunk base, this is, you know, 00:07:23.940 --> 00:07:25.020 our 00:07:25.020 --> 00:07:26.819 App Store, 00:07:26.819 --> 00:07:29.880 and we can either you know go to 00:07:29.880 --> 00:07:32.639 splunkbase.splunk.com, 00:07:32.639 --> 00:07:37.560 and do a search in here for lookup 00:07:37.560 --> 00:07:42.539 um file there. It is look up file editing 00:07:42.539 --> 00:07:45.360 or just you know back at your favorite 00:07:45.360 --> 00:07:49.080 search engine Splunk base lookup editor, 00:07:49.080 --> 00:07:50.759 and you'll get links to the same 00:07:50.759 --> 00:07:52.259 location. 00:07:52.259 --> 00:07:55.380 I will, I will point out with the new 00:07:55.380 --> 00:07:57.139 Splunk base. We are 00:07:57.139 --> 00:08:00.180 Splunk is, you know, providing a new 00:08:00.180 --> 00:08:02.720 Splunk base over the old one 00:08:02.720 --> 00:08:06.300 sometimes. If I were to just put 00:08:06.300 --> 00:08:10.259 look up, you may not see that information 00:08:10.259 --> 00:08:12.180 you know that app down here and even if 00:08:12.180 --> 00:08:13.560 I run a search, 00:08:13.560 --> 00:08:16.680 you may not see it so make sure to put 00:08:16.680 --> 00:08:19.080 in lookup file 00:08:19.080 --> 00:08:22.020 if you go to the old Splunk base, 00:08:22.020 --> 00:08:24.660 you know, if I type in look up there. It's 00:08:24.660 --> 00:08:27.240 the first entry. So hopefully our product 00:08:27.240 --> 00:08:29.340 team is working on or whoever's working 00:08:29.340 --> 00:08:31.740 on the website is you know adjusting 00:08:31.740 --> 00:08:33.120 that, 00:08:33.120 --> 00:08:36.060 and then the last way that we could you 00:08:36.060 --> 00:08:39.419 know bring in that lookup app is to go 00:08:39.419 --> 00:08:40.740 to apps. 00:08:40.740 --> 00:08:43.320 Find more apps, 00:08:43.320 --> 00:08:48.260 and then the same thing here look up, 00:08:49.320 --> 00:08:52.680 and if I type in, let's say edit. 00:08:52.680 --> 00:08:54.300 There it is 00:08:54.300 --> 00:08:55.920 probably any other I just didn't feel 00:08:55.920 --> 00:08:58.140 like scrolling down but here, you know, 00:08:58.140 --> 00:09:00.360 you can just install that way if your 00:09:00.360 --> 00:09:03.899 Splunk environment is internet 00:09:03.899 --> 00:09:05.339 capable, 00:09:05.339 --> 00:09:07.320 I worked in an environment that that was 00:09:07.320 --> 00:09:09.779 not the case. 00:09:09.779 --> 00:09:12.360 So now let's talk about the output 00:09:12.360 --> 00:09:16.019 lookup command, and how to use it 00:09:16.019 --> 00:09:18.540 and I'm actually going to go back into 00:09:18.540 --> 00:09:19.620 here. 00:09:19.620 --> 00:09:21.560 I want to show 00:09:21.560 --> 00:09:25.560 DHCP. So here you can see that lookup 00:09:25.560 --> 00:09:29.459 this is that app for Splunk 00:09:29.459 --> 00:09:32.839 for lookup file editing, I am filtering 00:09:32.839 --> 00:09:35.279 all of my, you know, there is a lot more 00:09:35.279 --> 00:09:38.339 I'll back up there is a lot of lookup 00:09:38.339 --> 00:09:39.899 tables that are loaded in my environment. 00:09:39.899 --> 00:09:41.580 I am using the Splunk Security 00:09:41.580 --> 00:09:43.740 Essentials app. It's a free app that you 00:09:43.740 --> 00:09:46.080 can also download from Splunk base, 00:09:46.080 --> 00:09:48.120 you know, if you are in that security 00:09:48.120 --> 00:09:50.160 business, please check it out. There's one 00:09:50.160 --> 00:09:53.540 for compliance. There's one it 00:09:53.540 --> 00:09:56.220 essentials. So we have a lot of good apps 00:09:56.220 --> 00:09:57.959 out there to help you get going, 00:09:57.959 --> 00:10:00.440 but here. I'm going to go 00:10:00.440 --> 00:10:04.980 DHCP and you can see the the one CSV 00:10:04.980 --> 00:10:06.959 that I have right now, 00:10:06.959 --> 00:10:10.260 and what we're going to do here is a 00:10:10.260 --> 00:10:12.000 base search that has given me the IP 00:10:12.000 --> 00:10:14.640 address, but I would rather or I need the 00:10:14.640 --> 00:10:16.920 host name off to here, 00:10:16.920 --> 00:10:20.220 luckily for me. I have 00:10:20.220 --> 00:10:23.700 another data source that I'm using open 00:10:23.700 --> 00:10:26.339 sense in a DHCP server, 00:10:26.339 --> 00:10:31.640 and if I will go ahead and run this. 00:10:32.640 --> 00:10:35.160 It will give me the raw logs and In The 00:10:35.160 --> 00:10:37.380 Raw logs, I have my IP address and it 00:10:37.380 --> 00:10:40.980 also has host names in here, 00:10:40.980 --> 00:10:42.959 and I can look at my interesting Fields 00:10:42.959 --> 00:10:48.120 because I have the open sense ta 00:10:48.420 --> 00:10:50.940 app that I downloaded, but helps me to 00:10:50.940 --> 00:10:52.800 parse this data and you can see over 00:10:52.800 --> 00:10:54.540 here in interesting Fields. I have client 00:10:54.540 --> 00:10:57.839 IP Mac and name. 00:10:57.839 --> 00:10:59.459 So now, 00:10:59.459 --> 00:11:01.260 I want 00:11:01.260 --> 00:11:04.560 to create a lookup table with these 00:11:04.560 --> 00:11:07.339 three fields. 00:11:07.380 --> 00:11:09.959 I'm going to hit the pipe. I'm going to 00:11:09.959 --> 00:11:13.380 say stats count by 00:11:13.380 --> 00:11:18.600 what was that clients underscore, name 00:11:18.600 --> 00:11:20.480 a client 00:11:20.480 --> 00:11:24.779 underscore IP and client underscore Mac 00:11:24.779 --> 00:11:26.760 remember your field names are case 00:11:26.760 --> 00:11:29.240 sensitive, 00:11:30.540 --> 00:11:32.399 not the values but the field names 00:11:32.399 --> 00:11:34.200 himself are. 00:11:34.200 --> 00:11:36.060 And once this comes up, it should give me 00:11:36.060 --> 00:11:38.760 it gives me four columns, and if I don't 00:11:38.760 --> 00:11:41.160 want to count here in my lookup table. 00:11:41.160 --> 00:11:44.399 I'm just going to say you know easiest 00:11:44.399 --> 00:11:48.180 way Fields negative counts 00:11:48.180 --> 00:11:50.820 and that will clean it up, and this is 00:11:50.820 --> 00:11:53.519 the output that I would like to have. 00:11:53.519 --> 00:11:58.200 So next, I'm going to invoke the output 00:11:58.200 --> 00:12:01.500 lookup command. So let's click on that 00:12:01.500 --> 00:12:03.779 and then I already have in my command 00:12:03.779 --> 00:12:06.300 history because I practice this before I 00:12:06.300 --> 00:12:07.440 record a video 00:12:07.440 --> 00:12:11.399 output lookup DHCP test and if you know 00:12:11.399 --> 00:12:12.899 when I'm here 00:12:12.899 --> 00:12:14.399 in my 00:12:14.399 --> 00:12:17.399 Splunk environment. It is not here yet. So 00:12:17.399 --> 00:12:19.680 let's go ahead and click on that and as 00:12:19.680 --> 00:12:21.180 soon as I run this, 00:12:21.180 --> 00:12:23.640 and I give it a few seconds, 00:12:23.640 --> 00:12:25.079 there we go. 00:12:25.079 --> 00:12:28.200 You know I have an output. 00:12:28.200 --> 00:12:31.740 It may not be a hundred percent but it's 00:12:31.740 --> 00:12:34.079 a start. You don't have to build 00:12:34.079 --> 00:12:35.880 everything from scratch. 00:12:35.880 --> 00:12:37.860 So I can have this here and start 00:12:37.860 --> 00:12:40.260 editing this 00:12:40.260 --> 00:12:42.600 lookup table with the file lookup 00:12:42.600 --> 00:12:45.120 editor. So I 100 recommend downloading 00:12:45.120 --> 00:12:47.339 that app to look you know edit the 00:12:47.339 --> 00:12:50.399 lookup tables because if you don't, you'd 00:12:50.399 --> 00:12:52.620 have to be in the business of pulling 00:12:52.620 --> 00:12:56.339 that look up table from your Splunk 00:12:56.339 --> 00:12:59.339 index or search heads bring it down to 00:12:59.339 --> 00:13:02.279 your computer edit it or log into the 00:13:02.279 --> 00:13:04.980 box and edit it manually like that. So 00:13:04.980 --> 00:13:07.079 the lookup editor is definitely one of 00:13:07.079 --> 00:13:07.980 the 00:13:07.980 --> 00:13:10.200 first apps that I install on a fresh 00:13:10.200 --> 00:13:12.660 Splunk install, but here, you can see I 00:13:12.660 --> 00:13:15.060 have you know tab a and tab a oh which 00:13:15.060 --> 00:13:16.079 one are there two different Mac 00:13:16.079 --> 00:13:19.079 addresses. Two different IPS, my kids both 00:13:19.079 --> 00:13:21.360 have a tablet. So if I wanted to know 00:13:21.360 --> 00:13:23.339 which tablet is which you know grab the 00:13:23.339 --> 00:13:24.600 tablet, 00:13:24.600 --> 00:13:27.360 you know look up the MAC address and 00:13:27.360 --> 00:13:28.680 make sure I know which one it is and 00:13:28.680 --> 00:13:30.660 update my lookup table. So if we go back 00:13:30.660 --> 00:13:31.740 here to 00:13:31.740 --> 00:13:35.339 this lookup app the Splunk app for uh 00:13:35.339 --> 00:13:38.220 look lookup file editing and re-run this 00:13:38.220 --> 00:13:39.180 search, 00:13:39.180 --> 00:13:42.620 let's see here just hit refresh 00:13:43.079 --> 00:13:46.500 and I'll have to put in DHCP again. There 00:13:46.500 --> 00:13:48.899 is that lookup table, 00:13:48.899 --> 00:13:51.540 and if I wanted to, I can just click in 00:13:51.540 --> 00:13:53.279 here, 00:13:53.279 --> 00:13:54.839 and now, 00:13:54.839 --> 00:13:58.860 I can start editing this lookup file. So 00:13:58.860 --> 00:14:02.519 I like this device here is, you know, 00:14:02.519 --> 00:14:05.420 my work 00:14:06.000 --> 00:14:08.839 underscore, 00:14:08.880 --> 00:14:11.160 you know, laptop, 00:14:11.160 --> 00:14:13.440 you know, this is 00:14:13.440 --> 00:14:16.019 you know, Dash child 00:14:16.019 --> 00:14:18.360 one, 00:14:18.360 --> 00:14:20.279 and then we have 00:14:20.279 --> 00:14:23.700 Dash child two. 00:14:23.700 --> 00:14:25.740 Click save. You know we can add more 00:14:25.740 --> 00:14:27.959 columns so if I know 00:14:27.959 --> 00:14:30.600 um like right now none of my firewall 00:14:30.600 --> 00:14:34.200 ports are showing up. So I could say 00:14:34.200 --> 00:14:36.720 firewall, 00:14:36.720 --> 00:14:39.240 and if I have the IP address, I can put 00:14:39.240 --> 00:14:40.440 that in there and if I had the MAC 00:14:40.440 --> 00:14:42.560 address, 00:14:42.560 --> 00:14:46.260 dot you know 1.1. 00:14:46.260 --> 00:14:49.380 Let's uh sure, 00:14:49.380 --> 00:14:51.060 just for fun because it doesn't matter, 00:14:51.060 --> 00:14:55.320 I'll just plug this in and you know call 00:14:55.320 --> 00:14:57.240 it 99. 00:14:57.240 --> 00:14:58.860 Save. 00:14:58.860 --> 00:15:01.560 Now when I come back over here 00:15:01.560 --> 00:15:04.139 and I rerun this, 00:15:04.139 --> 00:15:06.600 um well actually if I rerun this ooh, 00:15:06.600 --> 00:15:08.760 almost messed up, if I rerun this it'll 00:15:08.760 --> 00:15:10.920 overwrite the changes well, I'll show you 00:15:10.920 --> 00:15:14.660 that let's see here bam 00:15:16.680 --> 00:15:18.360 foreign 00:15:18.360 --> 00:15:22.199 if I go back over here click lookups. 00:15:22.199 --> 00:15:25.860 Refresh this. Let's see. I'll do another 00:15:25.860 --> 00:15:27.720 refresh here, 00:15:27.720 --> 00:15:31.040 and I'll type in DHCP 00:15:31.040 --> 00:15:34.980 and click DHCP test. 00:15:34.980 --> 00:15:38.459 You can see those changes I made are 00:15:38.459 --> 00:15:42.420 gone now so be careful with that command 00:15:42.420 --> 00:15:44.400 with the output lookup. 00:15:44.400 --> 00:15:45.060 [Music] 00:15:45.060 --> 00:15:46.079 Um, 00:15:46.079 --> 00:15:48.959 so yeah let's, I'll do this time, I'll 00:15:48.959 --> 00:15:51.660 just do this one here and I'll say you 00:15:51.660 --> 00:15:53.220 know work, 00:15:53.220 --> 00:15:55.019 laptop, 00:15:55.019 --> 00:15:57.060 and, you know, I just want to show you 00:15:57.060 --> 00:15:58.980 that you know 00:15:58.980 --> 00:16:01.880 one 00:16:02.040 --> 00:16:04.980 and then Dash two that it does work when 00:16:04.980 --> 00:16:06.899 you click save lookup, 00:16:06.899 --> 00:16:10.459 and what I can do is come here and 00:16:10.459 --> 00:16:13.079 actually I will 00:16:13.079 --> 00:16:16.279 open a new search 00:16:16.440 --> 00:16:20.639 and do a pipe input look up 00:16:20.639 --> 00:16:22.440 DH. 00:16:22.440 --> 00:16:23.720 Yeah. 00:16:23.720 --> 00:16:26.639 DHCP underscore test, 00:16:26.639 --> 00:16:30.019 not CSV. 00:16:31.500 --> 00:16:34.620 And you can see now instead of 00:16:34.620 --> 00:16:37.079 um what it was before I get my work 00:16:37.079 --> 00:16:40.940 laptop, and now I have one and two 00:16:42.779 --> 00:16:45.959 and then for this here, you know, I can 00:16:45.959 --> 00:16:48.360 easily come back you know come back to 00:16:48.360 --> 00:16:52.019 my previous search or I can type it out 00:16:52.019 --> 00:16:53.820 here. I think I've got it copied over 00:16:53.820 --> 00:16:54.779 here, 00:16:54.779 --> 00:16:59.660 you know. Now, I can you know quickly 00:16:59.899 --> 00:17:02.820 oops got to get rid of the extra pipe 00:17:02.820 --> 00:17:05.220 when I copied it, 00:17:05.220 --> 00:17:08.120 and then 00:17:10.199 --> 00:17:12.900 actually what I'll do is 00:17:12.900 --> 00:17:15.179 fields, 00:17:15.179 --> 00:17:18.720 and say dust underscore IP, 00:17:18.720 --> 00:17:23.699 and then stats count by dust underscore 00:17:23.699 --> 00:17:27.140 IP host name, 00:17:32.580 --> 00:17:34.140 and voila. 00:17:34.140 --> 00:17:36.539 So you can see 00:17:36.539 --> 00:17:38.460 where it's grabbing that information. Oh 00:17:38.460 --> 00:17:41.059 I got the wrong 00:17:41.840 --> 00:17:43.799 DHCP, 00:17:43.799 --> 00:17:48.620 underscore test dot CSV, 00:17:54.059 --> 00:17:55.620 oh 00:17:55.620 --> 00:17:59.520 and you can see I have IP here, 00:17:59.520 --> 00:18:02.460 and what I needed to do was actually go 00:18:02.460 --> 00:18:04.500 back to my lookup table, 00:18:04.500 --> 00:18:07.400 and say 00:18:07.440 --> 00:18:11.960 client underscore IP 00:18:12.240 --> 00:18:15.480 and then I believe it's the first one 00:18:15.480 --> 00:18:18.120 here so let's just test that out 00:18:18.120 --> 00:18:19.679 client. 00:18:19.679 --> 00:18:22.799 What did I call that field, again? 00:18:22.799 --> 00:18:24.679 client name 00:18:24.679 --> 00:18:28.679 underscore name. 00:18:31.260 --> 00:18:34.320 And there you go see there's the 133 00:18:34.320 --> 00:18:37.440 which was the A1, and in there is my work 00:18:37.440 --> 00:18:39.900 laptop. So you got to see you got to see 00:18:39.900 --> 00:18:41.460 me fail 00:18:41.460 --> 00:18:44.460 with the field names, but that's a good 00:18:44.460 --> 00:18:46.740 thing because then you saw where you 00:18:46.740 --> 00:18:49.080 know the first field is in your lookup 00:18:49.080 --> 00:18:51.960 table to match in your search results, 00:18:51.960 --> 00:18:54.059 you know. So, the client IP as destination 00:18:54.059 --> 00:18:56.340 IP and then the client name as hostname 00:18:56.340 --> 00:18:59.760 so instead of it coming out as a client 00:18:59.760 --> 00:19:02.340 name I have it as you can you know I 00:19:02.340 --> 00:19:05.700 could have easily done this 00:19:05.700 --> 00:19:09.600 and say client underscore name 00:19:09.600 --> 00:19:12.679 if I wanted to 00:19:12.900 --> 00:19:14.640 you know if that makes more sense for 00:19:14.640 --> 00:19:17.120 you as well 00:19:17.820 --> 00:19:19.620 and once you've defined that lookup 00:19:19.620 --> 00:19:21.539 table and you've got it incorporated 00:19:21.539 --> 00:19:24.120 into Splunk you know we can start adding 00:19:24.120 --> 00:19:26.280 that information to dashboards you may 00:19:26.280 --> 00:19:29.160 have built or other reports so here is a 00:19:29.160 --> 00:19:31.740 a dashboard that I created that looks at 00:19:31.740 --> 00:19:35.220 all the you know devices in my network 00:19:35.220 --> 00:19:37.799 I use my information my data from the 00:19:37.799 --> 00:19:40.440 DHCP server and compare it to the lookup 00:19:40.440 --> 00:19:42.840 table to see if there's any changes you 00:19:42.840 --> 00:19:46.080 know if a new device grabbed a an IP on 00:19:46.080 --> 00:19:49.320 my network that I didn't know about you 00:19:49.320 --> 00:19:51.000 know I could set up alerts around this 00:19:51.000 --> 00:19:53.700 you know for example I do have one here 00:19:53.700 --> 00:19:58.320 for uh you know what so anytime a new 00:19:58.320 --> 00:20:00.360 device comes on here and it does not 00:20:00.360 --> 00:20:03.660 find a match it actually outputs the 00:20:03.660 --> 00:20:07.020 name what so that I can go hey what is 00:20:07.020 --> 00:20:07.919 this 00:20:07.919 --> 00:20:11.760 yeah and what is this so Nintendo 3DS 00:20:11.760 --> 00:20:13.919 so one of my kids found you know they 00:20:13.919 --> 00:20:16.200 must have turned on their 3DS they 00:20:16.200 --> 00:20:18.360 haven't used in a while so I'm gonna go 00:20:18.360 --> 00:20:21.360 edit my lookup table and here's the MAC 00:20:21.360 --> 00:20:23.340 address so let's go see if it's already 00:20:23.340 --> 00:20:26.520 in that look up table and not this one 00:20:26.520 --> 00:20:28.880 so I'm going to click lookups here and 00:20:28.880 --> 00:20:34.679 go back into uh Hall DHCP leases 00:20:34.679 --> 00:20:37.140 and I can either do a filtered search 00:20:37.140 --> 00:20:38.880 for nin 00:20:38.880 --> 00:20:41.460 and I have one here for an Nintendo 3DS 00:20:41.460 --> 00:20:44.340 but that's a different Mac address 00:20:44.340 --> 00:20:46.860 so let's just add this one in place 00:20:46.860 --> 00:20:48.960 because I know there should be two of 00:20:48.960 --> 00:20:49.919 them 00:20:49.919 --> 00:20:52.140 so I'll just you know insert a row 00:20:52.140 --> 00:20:53.700 afterwards 00:20:53.700 --> 00:20:57.840 and we'll call this one Nintendo we'll 00:20:57.840 --> 00:20:59.580 say three 00:20:59.580 --> 00:21:02.960 yeah three DS 00:21:03.120 --> 00:21:04.980 two 00:21:04.980 --> 00:21:07.799 and we'll give it yeah we can see there 00:21:07.799 --> 00:21:10.140 it is the different Mac address 00:21:10.140 --> 00:21:12.419 and then what IP address did it grab so 00:21:12.419 --> 00:21:14.100 I'll just grab this IP address because 00:21:14.100 --> 00:21:17.039 that's what my DHCP server has 00:21:17.039 --> 00:21:19.799 and we will go back over here 00:21:19.799 --> 00:21:22.919 and we'll say this I'm going to click 00:21:22.919 --> 00:21:25.580 save lookup 00:21:25.620 --> 00:21:28.559 all right and after clicking save look 00:21:28.559 --> 00:21:30.720 up I should be able to go back to my 00:21:30.720 --> 00:21:31.799 dashboard 00:21:31.799 --> 00:21:35.299 and I'll just do a refresh 00:21:35.880 --> 00:21:38.880 click okay didn't have to click submit 00:21:38.880 --> 00:21:42.299 and it should not have anything in the 00:21:42.299 --> 00:21:45.059 red column and 00:21:45.059 --> 00:21:47.960 there we go 00:21:53.880 --> 00:21:55.919 oh 00:21:55.919 --> 00:21:59.220 interesting so now I need to 00:21:59.220 --> 00:22:01.260 as a client name and a host name is 00:22:01.260 --> 00:22:03.600 different so I'll play around with this 00:22:03.600 --> 00:22:04.500 some more 00:22:04.500 --> 00:22:06.539 should be the same well client name is 00:22:06.539 --> 00:22:09.120 what my DHCP server sees it and then 00:22:09.120 --> 00:22:11.820 this is the name I gave it so I'll have 00:22:11.820 --> 00:22:14.940 to go now go get the kids devices and 00:22:14.940 --> 00:22:16.760 make sure that I don't have a rogue 00:22:16.760 --> 00:22:19.799 Nintendo 3DS on my network which I I 00:22:19.799 --> 00:22:22.140 doubt it I know we have two of them 00:22:22.140 --> 00:22:25.440 so hopefully this uh video was helpful 00:22:25.440 --> 00:22:28.020 in introducing you to lookups and the 00:22:28.020 --> 00:22:30.240 power of them if you have any questions 00:22:30.240 --> 00:22:32.520 or comments please please leave them 00:22:32.520 --> 00:22:36.799 below and uh Happy spelunking