1 00:00:01,560 --> 00:00:03,720 Hi, Travis with Splunk here. 2 00:00:03,720 --> 00:00:06,180 In this video, I want to go over look up 3 00:00:06,180 --> 00:00:09,059 tables and give you an example of how I 4 00:00:09,059 --> 00:00:11,460 use lookup tables. 5 00:00:11,460 --> 00:00:14,880 I've pulled up a search here that shows 6 00:00:14,880 --> 00:00:16,800 the you know activity of the different 7 00:00:16,800 --> 00:00:19,440 devices on my home network. 8 00:00:19,440 --> 00:00:22,260 I can see there is a spike in data and 9 00:00:22,260 --> 00:00:24,900 instead of me having to remember you 10 00:00:24,900 --> 00:00:26,580 know the IP address 11 00:00:26,580 --> 00:00:29,580 of that device. I can have a lookup table 12 00:00:29,580 --> 00:00:32,579 translate that IP to a host name so that 13 00:00:32,579 --> 00:00:35,579 when I hover over this Spike of data 14 00:00:35,579 --> 00:00:37,680 you know I get a name instead of an IP 15 00:00:37,680 --> 00:00:38,700 address, 16 00:00:38,700 --> 00:00:40,559 and this is very helpful because I don't 17 00:00:40,559 --> 00:00:42,300 want to remember all the IP addresses 18 00:00:42,300 --> 00:00:46,500 for all the 30 plus devices that are you 19 00:00:46,500 --> 00:00:48,120 know in my house or in my home 20 00:00:48,120 --> 00:00:50,600 environment. 21 00:00:50,640 --> 00:00:52,920 So if you're new to Splunk or you're 22 00:00:52,920 --> 00:00:54,480 sitting here going look up tables. Why 23 00:00:54,480 --> 00:00:55,800 are they important? What are you talking 24 00:00:55,800 --> 00:00:58,920 about, Travis? Let's go to your favorite 25 00:00:58,920 --> 00:01:01,800 search engine, whatever you want to use, 26 00:01:01,800 --> 00:01:05,939 and do a search on Splunk lookup tables; 27 00:01:05,939 --> 00:01:07,939 give you ways to find more information 28 00:01:07,939 --> 00:01:11,100 and use our documentation. I find. you 29 00:01:11,100 --> 00:01:12,900 know, doing a search in your favorite 30 00:01:12,900 --> 00:01:14,780 search engine 31 00:01:14,780 --> 00:01:17,280 is the easiest way to find stuff in our 32 00:01:17,280 --> 00:01:20,280 documentation. So the first result is a 33 00:01:20,280 --> 00:01:22,799 lookup command, 34 00:01:22,799 --> 00:01:24,720 I am using that lookup command in 35 00:01:24,720 --> 00:01:26,460 this search, 36 00:01:26,460 --> 00:01:28,259 and then if we go back here the second 37 00:01:28,259 --> 00:01:30,659 one is about lookups, and then there's 38 00:01:30,659 --> 00:01:33,500 other, you know, lookup command examples 39 00:01:33,500 --> 00:01:36,000 there is you know how to use lookup 40 00:01:36,000 --> 00:01:38,880 table the, you know, Splunk Community. 41 00:01:38,880 --> 00:01:41,400 Splunk answers, but I'm going to go into 42 00:01:41,400 --> 00:01:43,939 this about lookups, Splunk documentation 43 00:01:43,939 --> 00:01:46,439 and show you more information about the 44 00:01:46,439 --> 00:01:47,579 lookup table 45 00:01:47,579 --> 00:01:50,340 here, you know what is a lookup way to 46 00:01:50,340 --> 00:01:52,860 enrich your data that you are collecting 47 00:01:52,860 --> 00:01:56,060 you know the four types of lookup CSV 48 00:01:56,060 --> 00:02:00,180 external KV store and even Geo, 49 00:02:00,180 --> 00:02:02,520 and then how you know more information 50 00:02:02,520 --> 00:02:04,560 about each one of those four types of 51 00:02:04,560 --> 00:02:08,160 lookup tables. I'm going to focus on CSV 52 00:02:08,160 --> 00:02:09,539 today, 53 00:02:09,539 --> 00:02:13,200 and here we have a link to you know how 54 00:02:13,200 --> 00:02:15,660 can I create and bring a lookup table 55 00:02:15,660 --> 00:02:18,599 into Splunk using the the web GUI or if 56 00:02:18,599 --> 00:02:19,680 you like, 57 00:02:19,680 --> 00:02:21,420 you know, using the configuration file 58 00:02:21,420 --> 00:02:23,879 CLI you know there's a link for that, but 59 00:02:23,879 --> 00:02:26,700 for today, we are going to go into 60 00:02:26,700 --> 00:02:30,420 this link here which defines a CSV 61 00:02:30,420 --> 00:02:32,520 lookup gives you more information about 62 00:02:32,520 --> 00:02:35,760 that CSV file, and then how to upload 63 00:02:35,760 --> 00:02:38,459 that file. And if you need an example of 64 00:02:38,459 --> 00:02:41,760 a lookup table, you know, we have see look 65 00:02:41,760 --> 00:02:43,920 up for an example you know this lookup 66 00:02:43,920 --> 00:02:45,959 is a hyperlink, 67 00:02:45,959 --> 00:02:48,780 and we can drill down even further and 68 00:02:48,780 --> 00:02:51,300 see examples of a lookup table. 69 00:02:51,300 --> 00:02:54,180 An example that we provide is a HTTP 70 00:02:54,180 --> 00:02:57,800 status code I say we Splunk, 71 00:02:57,800 --> 00:02:59,940 and you can go ahead and download that 72 00:02:59,940 --> 00:03:02,160 so you can see it or just review the 73 00:03:02,160 --> 00:03:05,459 sample that Splunk has provided. Where it 74 00:03:05,459 --> 00:03:07,800 shows the header field, you know, status 75 00:03:07,800 --> 00:03:10,440 comma status description comma status 76 00:03:10,440 --> 00:03:11,519 type 77 00:03:11,519 --> 00:03:14,280 and then values that are associated with 78 00:03:14,280 --> 00:03:16,500 the header field and it's all comma 79 00:03:16,500 --> 00:03:18,959 separated and no spaces. 80 00:03:18,959 --> 00:03:21,360 So you can see like 200 okay. And 81 00:03:21,360 --> 00:03:24,239 successful and you know three different 82 00:03:24,239 --> 00:03:26,159 header fields, 83 00:03:26,159 --> 00:03:28,560 and then the steps two 84 00:03:28,560 --> 00:03:30,720 go ahead and 85 00:03:30,720 --> 00:03:33,780 uh add those lookup tables into your 86 00:03:33,780 --> 00:03:36,379 Splunk web. 87 00:03:36,540 --> 00:03:40,140 So let's take one step back here, 88 00:03:40,140 --> 00:03:42,060 you know, in here, you know more 89 00:03:42,060 --> 00:03:44,220 information about lookup tables and how 90 00:03:44,220 --> 00:03:45,900 to get that in there. 91 00:03:45,900 --> 00:03:48,540 So just take some time and go through 92 00:03:48,540 --> 00:03:49,799 all of this, 93 00:03:49,799 --> 00:03:51,420 you know, I could probably spend an hour 94 00:03:51,420 --> 00:03:53,640 on lookup tables, 95 00:03:53,640 --> 00:03:56,040 but what I'm going to do is also you 96 00:03:56,040 --> 00:03:57,360 know scroll down here because there's 97 00:03:57,360 --> 00:03:59,220 something else I want to show. This is 98 00:03:59,220 --> 00:04:01,980 back to the about lookups and if I 99 00:04:01,980 --> 00:04:03,599 scroll down you know more lookup table 100 00:04:03,599 --> 00:04:05,700 definition automatic lookups. This is 101 00:04:05,700 --> 00:04:08,760 great. So instead of having to invoke 102 00:04:08,760 --> 00:04:11,040 that lookup command and during the 103 00:04:11,040 --> 00:04:13,260 search, I can go ahead and set up an 104 00:04:13,260 --> 00:04:14,879 automatic lookup 105 00:04:14,879 --> 00:04:18,120 that will be invoked at search time and 106 00:04:18,120 --> 00:04:19,799 bring that information in that you would 107 00:04:19,799 --> 00:04:21,979 need. 108 00:04:22,019 --> 00:04:24,900 So last thing I'm going to talk about on 109 00:04:24,900 --> 00:04:28,560 this page is commands and lookups. There 110 00:04:28,560 --> 00:04:31,440 is three commands that are related to 111 00:04:31,440 --> 00:04:33,660 lookup tables. 112 00:04:33,660 --> 00:04:35,639 I've already shown and 113 00:04:35,639 --> 00:04:38,280 look up, but there's also input lookup 114 00:04:38,280 --> 00:04:40,620 and output lookup. 115 00:04:40,620 --> 00:04:43,139 So you can manually create your lookup 116 00:04:43,139 --> 00:04:46,560 file or we can actually use the output 117 00:04:46,560 --> 00:04:49,440 lookup in a Splunk search to create a 118 00:04:49,440 --> 00:04:51,300 lookup table 119 00:04:51,300 --> 00:04:54,360 to get that information into Splunk. So 120 00:04:54,360 --> 00:04:56,040 you can use it with other Splunk 121 00:04:56,040 --> 00:04:58,500 searches, and I will go over and we're 122 00:04:58,500 --> 00:05:01,500 going to build that out today. 123 00:05:01,500 --> 00:05:03,419 So let's back up 124 00:05:03,419 --> 00:05:05,340 here's that where I'm using the lookup 125 00:05:05,340 --> 00:05:06,540 command there 126 00:05:06,540 --> 00:05:10,500 with this lookup table, 127 00:05:10,500 --> 00:05:12,660 we have a couple different ways of be 128 00:05:12,660 --> 00:05:15,720 able to look at what data is in that 129 00:05:15,720 --> 00:05:18,600 lookup table at CSV file and that's that 130 00:05:18,600 --> 00:05:22,080 input lookup command is one way, 131 00:05:22,080 --> 00:05:24,600 and then there's an app that you can 132 00:05:24,600 --> 00:05:26,699 download. So let me show off the input 133 00:05:26,699 --> 00:05:29,340 lookup command real quick. So input look 134 00:05:29,340 --> 00:05:31,320 up and you can see I've already used 135 00:05:31,320 --> 00:05:33,419 this command before, 136 00:05:33,419 --> 00:05:35,759 and before I go any further, 137 00:05:35,759 --> 00:05:38,759 if you like how you know I get you know 138 00:05:38,759 --> 00:05:40,620 I'll click input lookup, if you like how 139 00:05:40,620 --> 00:05:41,940 I'm getting a lot of information over 140 00:05:41,940 --> 00:05:43,680 here and if you're not getting this much 141 00:05:43,680 --> 00:05:46,199 information like when I click more 142 00:05:46,199 --> 00:05:48,600 you'll go up to administrator or you 143 00:05:48,600 --> 00:05:50,280 know whoever you're logged in as your 144 00:05:50,280 --> 00:05:53,759 user account name. Go to preferences 145 00:05:53,759 --> 00:05:57,479 and then SPL editor and you can change 146 00:05:57,479 --> 00:05:59,400 this on your account for your preference. 147 00:05:59,400 --> 00:06:01,979 It's where it you know Splunk by default 148 00:06:01,979 --> 00:06:04,080 will have it on Compact and you can 149 00:06:04,080 --> 00:06:05,520 select full, 150 00:06:05,520 --> 00:06:08,280 and then uh if you've ever noticed when 151 00:06:08,280 --> 00:06:11,160 I hit the pipe, 152 00:06:11,160 --> 00:06:13,740 it drops down a new line. That's this 153 00:06:13,740 --> 00:06:17,580 search auto format. So I select it. So it 154 00:06:17,580 --> 00:06:19,259 automatically drops a new line every 155 00:06:19,259 --> 00:06:21,419 time, and you'll probably see that here 156 00:06:21,419 --> 00:06:23,580 in a minute. So I'm going to go ahead and 157 00:06:23,580 --> 00:06:27,120 hit cancel. So I have input lookup and 158 00:06:27,120 --> 00:06:29,520 what was that Hall, yep. 159 00:06:29,520 --> 00:06:31,440 I've already got it there. So I'll just 160 00:06:31,440 --> 00:06:33,900 click on that and click run. 161 00:06:33,900 --> 00:06:37,500 So all this command does is bring the 162 00:06:37,500 --> 00:06:40,620 data into a Splunk search so I can view 163 00:06:40,620 --> 00:06:41,520 it. 164 00:06:41,520 --> 00:06:44,520 This is a CSV file that I have uploaded 165 00:06:44,520 --> 00:06:47,699 I have edited and made adjustments to it, 166 00:06:47,699 --> 00:06:50,280 and this is a CSV file that is being 167 00:06:50,280 --> 00:06:52,860 used in this search to where my 168 00:06:52,860 --> 00:06:54,900 destination IP will go down here if it 169 00:06:54,900 --> 00:06:58,620 makes a match. It outputs me the hostname, 170 00:06:58,620 --> 00:07:01,680 now the other way that we can edit this 171 00:07:01,680 --> 00:07:02,880 file 172 00:07:02,880 --> 00:07:06,720 is an app, and do I have that up? Nope. So 173 00:07:06,720 --> 00:07:08,580 we'll go here, apps, 174 00:07:08,580 --> 00:07:10,860 and we're going to go to Splunk app for 175 00:07:10,860 --> 00:07:13,639 lookup file, 176 00:07:13,800 --> 00:07:15,780 and this is an app that I've downloaded 177 00:07:15,780 --> 00:07:17,520 off of Splunk base. 178 00:07:17,520 --> 00:07:21,180 If you've never, I'll back up or before I 179 00:07:21,180 --> 00:07:22,139 go too much further if you've never 180 00:07:22,139 --> 00:07:23,940 heard of Splunk base, this is, you know, 181 00:07:23,940 --> 00:07:25,020 our 182 00:07:25,020 --> 00:07:26,819 App Store, 183 00:07:26,819 --> 00:07:29,880 and we can either you know go to 184 00:07:29,880 --> 00:07:32,639 splunkbase.splunk.com, 185 00:07:32,639 --> 00:07:37,560 and do a search in here for lookup 186 00:07:37,560 --> 00:07:42,539 um file there. It is look up file editing 187 00:07:42,539 --> 00:07:45,360 or just you know back at your favorite 188 00:07:45,360 --> 00:07:49,080 search engine Splunk base lookup editor, 189 00:07:49,080 --> 00:07:50,759 and you'll get links to the same 190 00:07:50,759 --> 00:07:52,259 location. 191 00:07:52,259 --> 00:07:55,380 I will, I will point out with the new 192 00:07:55,380 --> 00:07:57,139 Splunk base. We are 193 00:07:57,139 --> 00:08:00,180 Splunk is, you know, providing a new 194 00:08:00,180 --> 00:08:02,720 Splunk base over the old one 195 00:08:02,720 --> 00:08:06,300 sometimes. If I were to just put 196 00:08:06,300 --> 00:08:10,259 look up, you may not see that information 197 00:08:10,259 --> 00:08:12,180 you know that app down here and even if 198 00:08:12,180 --> 00:08:13,560 I run a search, 199 00:08:13,560 --> 00:08:16,680 you may not see it so make sure to put 200 00:08:16,680 --> 00:08:19,080 in lookup file 201 00:08:19,080 --> 00:08:22,020 if you go to the old Splunk base, 202 00:08:22,020 --> 00:08:24,660 you know, if I type in look up there. It's 203 00:08:24,660 --> 00:08:27,240 the first entry. So hopefully our product 204 00:08:27,240 --> 00:08:29,340 team is working on or whoever's working 205 00:08:29,340 --> 00:08:31,740 on the website is you know adjusting 206 00:08:31,740 --> 00:08:33,120 that, 207 00:08:33,120 --> 00:08:36,060 and then the last way that we could you 208 00:08:36,060 --> 00:08:39,419 know bring in that lookup app is to go 209 00:08:39,419 --> 00:08:40,740 to apps. 210 00:08:40,740 --> 00:08:43,320 Find more apps, 211 00:08:43,320 --> 00:08:48,260 and then the same thing here look up, 212 00:08:49,320 --> 00:08:52,680 and if I type in, let's say edit. 213 00:08:52,680 --> 00:08:54,300 There it is 214 00:08:54,300 --> 00:08:55,920 probably any other I just didn't feel 215 00:08:55,920 --> 00:08:58,140 like scrolling down but here, you know, 216 00:08:58,140 --> 00:09:00,360 you can just install that way if your 217 00:09:00,360 --> 00:09:03,899 Splunk environment is internet 218 00:09:03,899 --> 00:09:05,339 capable, 219 00:09:05,339 --> 00:09:07,320 I worked in an environment that that was 220 00:09:07,320 --> 00:09:09,779 not the case. 221 00:09:09,779 --> 00:09:12,360 So now let's talk about the output 222 00:09:12,360 --> 00:09:16,019 lookup command, and how to use it 223 00:09:16,019 --> 00:09:18,540 and I'm actually going to go back into 224 00:09:18,540 --> 00:09:19,620 here. 225 00:09:19,620 --> 00:09:21,560 I want to show 226 00:09:21,560 --> 00:09:25,560 DHCP. So here you can see that lookup 227 00:09:25,560 --> 00:09:29,459 this is that app for Splunk 228 00:09:29,459 --> 00:09:32,839 for lookup file editing, I am filtering 229 00:09:32,839 --> 00:09:35,279 all of my, you know, there is a lot more 230 00:09:35,279 --> 00:09:38,339 I'll back up there is a lot of lookup 231 00:09:38,339 --> 00:09:39,899 tables that are loaded in my environment. 232 00:09:39,899 --> 00:09:41,580 I am using the Splunk Security 233 00:09:41,580 --> 00:09:43,740 Essentials app. It's a free app that you 234 00:09:43,740 --> 00:09:46,080 can also download from Splunk base, 235 00:09:46,080 --> 00:09:48,120 you know, if you are in that security 236 00:09:48,120 --> 00:09:50,160 business, please check it out. There's one 237 00:09:50,160 --> 00:09:53,540 for compliance. There's one it 238 00:09:53,540 --> 00:09:56,220 essentials. So we have a lot of good apps 239 00:09:56,220 --> 00:09:57,959 out there to help you get going, 240 00:09:57,959 --> 00:10:00,440 but here. I'm going to go 241 00:10:00,440 --> 00:10:04,980 DHCP and you can see the the one CSV 242 00:10:04,980 --> 00:10:06,959 that I have right now, 243 00:10:06,959 --> 00:10:10,260 and what we're going to do here is a 244 00:10:10,260 --> 00:10:12,000 base search that has given me the IP 245 00:10:12,000 --> 00:10:14,640 address, but I would rather or I need the 246 00:10:14,640 --> 00:10:16,920 host name off to here, 247 00:10:16,920 --> 00:10:20,220 luckily for me. I have 248 00:10:20,220 --> 00:10:23,700 another data source that I'm using open 249 00:10:23,700 --> 00:10:26,339 sense in a DHCP server, 250 00:10:26,339 --> 00:10:31,640 and if I will go ahead and run this. 251 00:10:32,640 --> 00:10:35,160 It will give me the raw logs and In The 252 00:10:35,160 --> 00:10:37,380 Raw logs, I have my IP address and it 253 00:10:37,380 --> 00:10:40,980 also has host names in here, 254 00:10:40,980 --> 00:10:42,959 and I can look at my interesting Fields 255 00:10:42,959 --> 00:10:48,120 because I have the open sense ta 256 00:10:48,420 --> 00:10:50,940 app that I downloaded, but helps me to 257 00:10:50,940 --> 00:10:52,800 parse this data and you can see over 258 00:10:52,800 --> 00:10:54,540 here in interesting Fields. I have client 259 00:10:54,540 --> 00:10:57,839 IP Mac and name. 260 00:10:57,839 --> 00:10:59,459 So now, 261 00:10:59,459 --> 00:11:01,260 I want 262 00:11:01,260 --> 00:11:04,560 to create a lookup table with these 263 00:11:04,560 --> 00:11:07,339 three fields. 264 00:11:07,380 --> 00:11:09,959 I'm going to hit the pipe. I'm going to 265 00:11:09,959 --> 00:11:13,380 say stats count by 266 00:11:13,380 --> 00:11:18,600 what was that clients underscore, name 267 00:11:18,600 --> 00:11:20,480 a client 268 00:11:20,480 --> 00:11:24,779 underscore IP and client underscore Mac 269 00:11:24,779 --> 00:11:26,760 remember your field names are case 270 00:11:26,760 --> 00:11:29,240 sensitive, 271 00:11:30,540 --> 00:11:32,399 not the values but the field names 272 00:11:32,399 --> 00:11:34,200 himself are. 273 00:11:34,200 --> 00:11:36,060 And once this comes up, it should give me 274 00:11:36,060 --> 00:11:38,760 it gives me four columns, and if I don't 275 00:11:38,760 --> 00:11:41,160 want to count here in my lookup table. 276 00:11:41,160 --> 00:11:44,399 I'm just going to say you know easiest 277 00:11:44,399 --> 00:11:48,180 way Fields negative counts 278 00:11:48,180 --> 00:11:50,820 and that will clean it up, and this is 279 00:11:50,820 --> 00:11:53,519 the output that I would like to have. 280 00:11:53,519 --> 00:11:58,200 So next, I'm going to invoke the output 281 00:11:58,200 --> 00:12:01,500 lookup command. So let's click on that 282 00:12:01,500 --> 00:12:03,779 and then I already have in my command 283 00:12:03,779 --> 00:12:06,300 history because I practice this before I 284 00:12:06,300 --> 00:12:07,440 record a video 285 00:12:07,440 --> 00:12:11,399 output lookup DHCP test and if you know 286 00:12:11,399 --> 00:12:12,899 when I'm here 287 00:12:12,899 --> 00:12:14,399 in my 288 00:12:14,399 --> 00:12:17,399 Splunk environment. It is not here yet. So 289 00:12:17,399 --> 00:12:19,680 let's go ahead and click on that and as 290 00:12:19,680 --> 00:12:21,180 soon as I run this, 291 00:12:21,180 --> 00:12:23,640 and I give it a few seconds, 292 00:12:23,640 --> 00:12:25,079 there we go. 293 00:12:25,079 --> 00:12:28,200 You know I have an output. 294 00:12:28,200 --> 00:12:31,740 It may not be a hundred percent but it's 295 00:12:31,740 --> 00:12:34,079 a start. You don't have to build 296 00:12:34,079 --> 00:12:35,880 everything from scratch. 297 00:12:35,880 --> 00:12:37,860 So I can have this here and start 298 00:12:37,860 --> 00:12:40,260 editing this 299 00:12:40,260 --> 00:12:42,600 lookup table with the file lookup 300 00:12:42,600 --> 00:12:45,120 editor. So I 100 recommend downloading 301 00:12:45,120 --> 00:12:47,339 that app to look you know edit the 302 00:12:47,339 --> 00:12:50,399 lookup tables because if you don't, you'd 303 00:12:50,399 --> 00:12:52,620 have to be in the business of pulling 304 00:12:52,620 --> 00:12:56,339 that look up table from your Splunk 305 00:12:56,339 --> 00:12:59,339 index or search heads bring it down to 306 00:12:59,339 --> 00:13:02,279 your computer edit it or log into the 307 00:13:02,279 --> 00:13:04,980 box and edit it manually like that. So 308 00:13:04,980 --> 00:13:07,079 the lookup editor is definitely one of 309 00:13:07,079 --> 00:13:07,980 the 310 00:13:07,980 --> 00:13:10,200 first apps that I install on a fresh 311 00:13:10,200 --> 00:13:12,660 Splunk install, but here, you can see I 312 00:13:12,660 --> 00:13:15,060 have you know tab a and tab a oh which 313 00:13:15,060 --> 00:13:16,079 one are there two different Mac 314 00:13:16,079 --> 00:13:19,079 addresses. Two different IPS, my kids both 315 00:13:19,079 --> 00:13:21,360 have a tablet. So if I wanted to know 316 00:13:21,360 --> 00:13:23,339 which tablet is which you know grab the 317 00:13:23,339 --> 00:13:24,600 tablet, 318 00:13:24,600 --> 00:13:27,360 you know look up the MAC address and 319 00:13:27,360 --> 00:13:28,680 make sure I know which one it is and 320 00:13:28,680 --> 00:13:30,660 update my lookup table. So if we go back 321 00:13:30,660 --> 00:13:31,740 here to 322 00:13:31,740 --> 00:13:35,339 this lookup app the Splunk app for uh 323 00:13:35,339 --> 00:13:38,220 look lookup file editing and re-run this 324 00:13:38,220 --> 00:13:39,180 search, 325 00:13:39,180 --> 00:13:42,620 let's see here just hit refresh 326 00:13:43,079 --> 00:13:46,500 and I'll have to put in DHCP again. There 327 00:13:46,500 --> 00:13:48,899 is that lookup table, 328 00:13:48,899 --> 00:13:51,540 and if I wanted to, I can just click in 329 00:13:51,540 --> 00:13:53,279 here, 330 00:13:53,279 --> 00:13:54,839 and now, 331 00:13:54,839 --> 00:13:58,860 I can start editing this lookup file. So 332 00:13:58,860 --> 00:14:02,519 I like this device here is, you know, 333 00:14:02,519 --> 00:14:05,420 my work 334 00:14:06,000 --> 00:14:08,839 underscore, 335 00:14:08,880 --> 00:14:11,160 you know, laptop, 336 00:14:11,160 --> 00:14:13,440 you know, this is 337 00:14:13,440 --> 00:14:16,019 you know, Dash child 338 00:14:16,019 --> 00:14:18,360 one, 339 00:14:18,360 --> 00:14:20,279 and then we have 340 00:14:20,279 --> 00:14:23,700 Dash child two. 341 00:14:23,700 --> 00:14:25,740 Click save. You know we can add more 342 00:14:25,740 --> 00:14:27,959 columns so if I know 343 00:14:27,959 --> 00:14:30,600 um like right now none of my firewall 344 00:14:30,600 --> 00:14:34,200 ports are showing up. So I could say 345 00:14:34,200 --> 00:14:36,720 firewall, 346 00:14:36,720 --> 00:14:39,240 and if I have the IP address, I can put 347 00:14:39,240 --> 00:14:40,440 that in there and if I had the MAC 348 00:14:40,440 --> 00:14:42,560 address, 349 00:14:42,560 --> 00:14:46,260 dot you know 1.1. 350 00:14:46,260 --> 00:14:49,380 Let's uh sure, 351 00:14:49,380 --> 00:14:51,060 just for fun because it doesn't matter, 352 00:14:51,060 --> 00:14:55,320 I'll just plug this in and you know call 353 00:14:55,320 --> 00:14:57,240 it 99. 354 00:14:57,240 --> 00:14:58,860 Save. 355 00:14:58,860 --> 00:15:01,560 Now when I come back over here 356 00:15:01,560 --> 00:15:04,139 and I rerun this, 357 00:15:04,139 --> 00:15:06,600 um well actually if I rerun this ooh, 358 00:15:06,600 --> 00:15:08,760 almost messed up, if I rerun this it'll 359 00:15:08,760 --> 00:15:10,920 overwrite the changes well, I'll show you 360 00:15:10,920 --> 00:15:14,660 that let's see here bam 361 00:15:16,680 --> 00:15:18,360 foreign 362 00:15:18,360 --> 00:15:22,199 if I go back over here click lookups. 363 00:15:22,199 --> 00:15:25,860 Refresh this. Let's see. I'll do another 364 00:15:25,860 --> 00:15:27,720 refresh here, 365 00:15:27,720 --> 00:15:31,040 and I'll type in DHCP 366 00:15:31,040 --> 00:15:34,980 and click DHCP test. 367 00:15:34,980 --> 00:15:38,459 You can see those changes I made are 368 00:15:38,459 --> 00:15:42,420 gone now so be careful with that command 369 00:15:42,420 --> 00:15:44,400 with the output lookup. 370 00:15:44,400 --> 00:15:45,060 [Music] 371 00:15:45,060 --> 00:15:46,079 Um, 372 00:15:46,079 --> 00:15:48,959 so yeah let's, I'll do this time, I'll 373 00:15:48,959 --> 00:15:51,660 just do this one here and I'll say you 374 00:15:51,660 --> 00:15:53,220 know work, 375 00:15:53,220 --> 00:15:55,019 laptop, 376 00:15:55,019 --> 00:15:57,060 and, you know, I just want to show you 377 00:15:57,060 --> 00:15:58,980 that you know 378 00:15:58,980 --> 00:16:01,880 one 379 00:16:02,040 --> 00:16:04,980 and then Dash two that it does work when 380 00:16:04,980 --> 00:16:06,899 you click save lookup, 381 00:16:06,899 --> 00:16:10,459 and what I can do is come here and 382 00:16:10,459 --> 00:16:13,079 actually I will 383 00:16:13,079 --> 00:16:16,279 open a new search 384 00:16:16,440 --> 00:16:20,639 and do a pipe input look up 385 00:16:20,639 --> 00:16:22,440 DH. 386 00:16:22,440 --> 00:16:23,720 Yeah. 387 00:16:23,720 --> 00:16:26,639 DHCP underscore test, 388 00:16:26,639 --> 00:16:30,019 not CSV. 389 00:16:31,500 --> 00:16:34,620 And you can see now instead of 390 00:16:34,620 --> 00:16:37,079 um what it was before I get my work 391 00:16:37,079 --> 00:16:40,940 laptop, and now I have one and two 392 00:16:42,779 --> 00:16:45,959 and then for this here, you know, I can 393 00:16:45,959 --> 00:16:48,360 easily come back you know come back to 394 00:16:48,360 --> 00:16:52,019 my previous search or I can type it out 395 00:16:52,019 --> 00:16:53,820 here. I think I've got it copied over 396 00:16:53,820 --> 00:16:54,779 here, 397 00:16:54,779 --> 00:16:59,660 you know. Now, I can you know quickly 398 00:16:59,899 --> 00:17:02,820 oops got to get rid of the extra pipe 399 00:17:02,820 --> 00:17:05,220 when I copied it, 400 00:17:05,220 --> 00:17:08,120 and then 401 00:17:10,199 --> 00:17:12,900 actually what I'll do is 402 00:17:12,900 --> 00:17:15,179 fields, 403 00:17:15,179 --> 00:17:18,720 and say dust underscore IP, 404 00:17:18,720 --> 00:17:23,699 and then stats count by dust underscore 405 00:17:23,699 --> 00:17:27,140 IP host name, 406 00:17:32,580 --> 00:17:34,140 and voila. 407 00:17:34,140 --> 00:17:36,539 So you can see 408 00:17:36,539 --> 00:17:38,460 where it's grabbing that information. Oh 409 00:17:38,460 --> 00:17:41,059 I got the wrong 410 00:17:41,840 --> 00:17:43,799 DHCP, 411 00:17:43,799 --> 00:17:48,620 underscore test dot CSV, 412 00:17:54,059 --> 00:17:55,620 oh 413 00:17:55,620 --> 00:17:59,520 and you can see I have IP here, 414 00:17:59,520 --> 00:18:02,460 and what I needed to do was actually go 415 00:18:02,460 --> 00:18:04,500 back to my lookup table, 416 00:18:04,500 --> 00:18:07,400 and say 417 00:18:07,440 --> 00:18:11,960 client underscore IP 418 00:18:12,240 --> 00:18:15,480 and then I believe it's the first one 419 00:18:15,480 --> 00:18:18,120 here so let's just test that out 420 00:18:18,120 --> 00:18:19,679 client. 421 00:18:19,679 --> 00:18:22,799 What did I call that field, again? 422 00:18:22,799 --> 00:18:24,679 client name 423 00:18:24,679 --> 00:18:28,679 underscore name. 424 00:18:31,260 --> 00:18:34,320 And there you go see there's the 133 425 00:18:34,320 --> 00:18:37,440 which was the A1, and in there is my work 426 00:18:37,440 --> 00:18:39,900 laptop. So you got to see you got to see 427 00:18:39,900 --> 00:18:41,460 me fail 428 00:18:41,460 --> 00:18:44,460 with the field names, but that's a good 429 00:18:44,460 --> 00:18:46,740 thing because then you saw where you 430 00:18:46,740 --> 00:18:49,080 know the first field is in your lookup 431 00:18:49,080 --> 00:18:51,960 table to match in your search results, 432 00:18:51,960 --> 00:18:54,059 you know. So, the client IP as destination 433 00:18:54,059 --> 00:18:56,340 IP and then the client name as hostname. 434 00:18:56,340 --> 00:18:59,760 So instead of it coming out as a client 435 00:18:59,760 --> 00:19:02,340 name, I have it as you can you know I 436 00:19:02,340 --> 00:19:05,700 could have easily done this 437 00:19:05,700 --> 00:19:09,600 and say client underscore name 438 00:19:09,600 --> 00:19:12,679 if I wanted to. 439 00:19:12,900 --> 00:19:14,640 You know if that makes more sense for 440 00:19:14,640 --> 00:19:17,120 you as well, 441 00:19:17,820 --> 00:19:19,620 and once you've defined that lookup 442 00:19:19,620 --> 00:19:21,539 table, and you've got it incorporated 443 00:19:21,539 --> 00:19:24,120 into Splunk you know we can start adding 444 00:19:24,120 --> 00:19:26,280 that information to dashboards. You may 445 00:19:26,280 --> 00:19:29,160 have built or other reports so here is a 446 00:19:29,160 --> 00:19:31,740 a dashboard that I created that looks at 447 00:19:31,740 --> 00:19:35,220 all the you know devices in my network. 448 00:19:35,220 --> 00:19:37,799 I use my information my data from the 449 00:19:37,799 --> 00:19:40,440 DHCP server and compare it to the lookup 450 00:19:40,440 --> 00:19:42,840 table to see. If there's any changes you 451 00:19:42,840 --> 00:19:46,080 know, if a new device grabbed a an IP on 452 00:19:46,080 --> 00:19:49,320 my network that I didn't know about, you 453 00:19:49,320 --> 00:19:51,000 know I could set up alerts around this 454 00:19:51,000 --> 00:19:53,700 you know. For example, I do have one here 455 00:19:53,700 --> 00:19:58,320 for uh you know what so anytime a new 456 00:19:58,320 --> 00:20:00,360 device comes on here, and it does not 457 00:20:00,360 --> 00:20:03,660 find a match it actually outputs the 458 00:20:03,660 --> 00:20:07,020 name what. So that I can go hey what is 459 00:20:07,020 --> 00:20:07,919 this 460 00:20:07,919 --> 00:20:11,760 yeah, and what is this so Nintendo 3DS, 461 00:20:11,760 --> 00:20:13,919 So one of my kids found you know they 462 00:20:13,919 --> 00:20:16,200 must have turned on their 3DS, they 463 00:20:16,200 --> 00:20:18,360 haven't used in a while. So I'm gonna go 464 00:20:18,360 --> 00:20:21,360 edit my lookup table, and here's the MAC 465 00:20:21,360 --> 00:20:23,340 address. So let's go see if it's already 466 00:20:23,340 --> 00:20:26,520 in that look up table and not this one 467 00:20:26,520 --> 00:20:28,880 so I'm going to click lookups here and 468 00:20:28,880 --> 00:20:34,679 go back into uh Hall DHCP leases, 469 00:20:34,679 --> 00:20:37,140 and I can either do a filtered search 470 00:20:37,140 --> 00:20:38,880 for nin, 471 00:20:38,880 --> 00:20:41,460 and I have one here for an Nintendo 3DS, 472 00:20:41,460 --> 00:20:44,340 but that's a different Mac address. 473 00:20:44,340 --> 00:20:46,860 So let's just add this one in place 474 00:20:46,860 --> 00:20:48,960 because I know there should be two of 475 00:20:48,960 --> 00:20:49,919 them. 476 00:20:49,919 --> 00:20:52,140 So I'll just you know insert a row 477 00:20:52,140 --> 00:20:53,700 afterwards, 478 00:20:53,700 --> 00:20:57,840 and we'll call this one Nintendo we'll 479 00:20:57,840 --> 00:20:59,580 say three, 480 00:20:59,580 --> 00:21:02,960 yeah three DS 481 00:21:03,120 --> 00:21:04,980 two, 482 00:21:04,980 --> 00:21:07,799 and we'll give it, yeah. We can see there. 483 00:21:07,799 --> 00:21:10,140 It is the different Mac address 484 00:21:10,140 --> 00:21:12,419 and then what IP address did it grab. So 485 00:21:12,419 --> 00:21:14,100 I'll just grab this IP address because 486 00:21:14,100 --> 00:21:17,039 that's what my DHCP server has, 487 00:21:17,039 --> 00:21:19,799 and we will go back over here, 488 00:21:19,799 --> 00:21:22,919 and we'll say this, I'm going to click 489 00:21:22,919 --> 00:21:25,580 save lookup, 490 00:21:25,620 --> 00:21:28,559 all right. And after clicking save look 491 00:21:28,559 --> 00:21:30,720 up, I should be able to go back to my 492 00:21:30,720 --> 00:21:31,799 dashboard, 493 00:21:31,799 --> 00:21:35,299 and I'll just do a refresh 494 00:21:35,880 --> 00:21:38,880 click okay. Didn't have to click submit, 495 00:21:38,880 --> 00:21:42,299 and it should not have anything in the 496 00:21:42,299 --> 00:21:45,059 red column and 497 00:21:45,059 --> 00:21:47,960 there we go. 498 00:21:53,880 --> 00:21:55,919 Oh, 499 00:21:55,919 --> 00:21:59,220 interesting. So now I need to 500 00:21:59,220 --> 00:22:01,260 as a client name and a host name is 501 00:22:01,260 --> 00:22:03,600 different. So I'll play around with this 502 00:22:03,600 --> 00:22:04,500 some more, 503 00:22:04,500 --> 00:22:06,539 should be the same well client name is 504 00:22:06,539 --> 00:22:09,120 what my DHCP server sees it, and then 505 00:22:09,120 --> 00:22:11,820 this is the name I gave it. So I'll have 506 00:22:11,820 --> 00:22:14,940 to go now go get the kids devices and 507 00:22:14,940 --> 00:22:16,760 make sure that I don't have a rogue 508 00:22:16,760 --> 00:22:19,799 Nintendo 3DS on my network which I 509 00:22:19,799 --> 00:22:22,140 doubt it. I know we have two of them. 510 00:22:22,140 --> 00:22:25,440 So hopefully this uh video was helpful 511 00:22:25,440 --> 00:22:28,020 in introducing you to lookups and the 512 00:22:28,020 --> 00:22:30,240 power of them. If you have any questions 513 00:22:30,240 --> 00:22:32,520 or comments, please please leave them 514 00:22:32,520 --> 00:22:36,799 below, and uh Happy spelunking.