Skip to content

Instantly share code, notes, and snippets.

@AfroThundr3007730

AfroThundr3007730/gen_services_lookup.md

Last active May 27, 2026 15:32
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save AfroThundr3007730/4b2fc42e547ef6acf4a77aeca11c71bc to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save AfroThundr3007730/4b2fc42e547ef6acf4a77aeca11c71bc to your computer and use it in GitHub Desktop.
Download ZIP
Convert /etc/sevices to CSV lookup file
Raw
gen_services_lookup.md

Convert /etc/sevices to CSV lookup file

out=$SPLUNK_HOME/etc/apps/search/lookups/services.csv
awk 'BEGIN {
        print "port,proto,port_name,port_desc"
    } NR > 1 && $0 !~ /^(#|\s*$)/ {
        split($2, p, "/")
        name=$1
        port=p[1]
        proto=p[2]
        $1=""
        $2=""
        sub(/^.*#\s*/, "", $0)
        sub(/^\s*/, "", $0)
        print port "," proto "," name ",\"" $0 "\""
    }' /etc/services | sort -h >$out && chown splunk:splunk $out

Automatic lookups

Lookup definition:

# /opt/splunk/etc/apps/search/local/transforms.conf
[services]
batch_index_query = 0
case_sensitive_match = 0
filename = services.csv
max_amtches = 1

Automatic lookup (zeek example):

# /opt/splunk/etc/apps/search/local/props.conf
[zeek:conn]
LOOKUP-zeek:conn-services-dest = services port AS dest_port proto AS proto OUTPUTNEW port_desc AS dest_port_desc port_name AS dest_port_name
LOOKUP-zeek:conn-services-src = services port AS src_port proto AS proto OUTPUTNEW port_desc AS src_port_desc port_name AS src_port_name
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment