Hello all,
I've done this a million times, but for some reason, it's not working for me today, and I suspect it's something really silly that just needs some fresh eyes on it.
I have a .csv file:
dest_port,application
1,TCP Port Service Multiplexer (TCPMUX)
5,Remote Job Entry (RJE)
7,ECHO
18,Message Send Protocol (MSP)
20,FTP -- Data
21,FTP -- Control
...etc...
I've created a lookup table file and lookup definition in the same app context. I run `| inputlookup known_tcp_ports.csv` and I get the table (with the order backwards, application first followed by dest_port).
I created an automatic lookup that has input: dest_port = dest_port (exists in my data and identical name as port header in csv) and the output is application=application. This doesn't work, so I dug into it and even the normal lookup doesn't work!
I'm staring at an event with dest_port=20 right now and when I run `index=main sourcetype=web* dest_port=20 [ | inputlookup known_tcp_ports.csv ]` I get bupkis.
Any ideas? I'm sure it's something really simple.
Edit: Running `index=main dest_ip=* | lookup known_tcp_ports.csv dest_port OUTPUT application` gets the application field. Not sure why I have to force it like that.
↧