<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Help with query combining lookups from two sources (i.e. cisco:asa and dshield) in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-query-combining-lookups-from-two-sources-i-e-cisco-asa/m-p/189605#M37768</link>
    <description>&lt;P&gt;I think Splunk lookup fetaure can help in this situation, first you need to generate csv includes the contents from the second query, &lt;/P&gt;

&lt;P&gt;index=dshield | stats sum(Reports) AS TotalReports by SourceIP | sort 10 -TotalReports&lt;/P&gt;

&lt;P&gt;We can run the search query from the linux command line and save output to a file as per the following&lt;BR /&gt;&lt;BR /&gt;
/opt/splunk/bin/splunk search "index=dshield | stats sum(Reports) AS TotalReports by SourceIP | sort 10 -TotalReports earliest="01/21/2015:01:00:00" latest="01/22/2015:01:00:00" " -auth admin:P@ssw0rd &amp;gt; temp.csv&lt;/P&gt;

&lt;P&gt;Modify the file temp.csv by linux tools to have the format you want, assume the final dshield_results.csv file we have is like that:&lt;/P&gt;

&lt;P&gt;cat dshield_results.csv&lt;BR /&gt;
SourceIp,TotalReports&lt;BR /&gt;
10.10.1.2,77&lt;BR /&gt;
10.10.1.3,87&lt;/P&gt;

&lt;P&gt;The above steps can be automated in script to save dshield_results.csv in the following location:&lt;/P&gt;

&lt;P&gt;/opt/splunk/etc/users/admin/search/lookups/&lt;/P&gt;

&lt;P&gt;Then we will define the lookup by adding the following lines to the file /opt/splunk/etc/users/admin/search/local/transforms.conf&lt;/P&gt;

&lt;P&gt;vi /opt/splunk/etc/users/admin/search/local/transforms.conf&lt;/P&gt;

&lt;P&gt;[dshield_lookup]&lt;BR /&gt;
filename = dshield_results.csv&lt;/P&gt;

&lt;P&gt;Then we need to automate the lookup by adding the folloiwng to the file /opt/splunk/etc/users/admin/search/local/props.conf&lt;/P&gt;

&lt;P&gt;vi /opt/splunk/etc/users/admin/search/local/props.conf (in the first line put the sourcetype you want to assign the lookup to it)&lt;/P&gt;

&lt;P&gt;[cisco:asa]&lt;BR /&gt;
LOOKUP-http_auto_lookup = dshield_lookup SourceIp AS dest_ip OUTPUTNEW &lt;/P&gt;

&lt;P&gt;Now you should have two fields SourceIp and TotalReports when you search sourcetype cisco:asa&lt;/P&gt;

&lt;P&gt;Regards,&lt;BR /&gt;
Ahmed Elakwah&lt;/P&gt;</description>
    <pubDate>Mon, 28 Sep 2020 18:43:45 GMT</pubDate>
    <dc:creator>aakwah</dc:creator>
    <dc:date>2020-09-28T18:43:45Z</dc:date>
    <item>
      <title>Help with query combining lookups from two sources (i.e. cisco:asa and dshield)</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-query-combining-lookups-from-two-sources-i-e-cisco-asa/m-p/189604#M37767</link>
      <description>&lt;P&gt;Hello all, my apologies for a question that is probably documented and I am just not figuring out.  I am trying to take data from Cisco firewall logs, filter out internal-&amp;gt;internal traffic and blocked connections, and then look up the external IP addresses against the Dshield database that gets downloaded nightly.&lt;/P&gt;

&lt;P&gt;Below are two queries that work independently.  What I am trying to do is take the results in field dest_ip from the first query and then look them up in a method similar to the second query to see if I can find active malware.  A sort by bytes or something would be handy  on the output but not essential.  Is this possible?&lt;/P&gt;

&lt;P&gt;1)  Works for finding the traffic I want:&lt;BR /&gt;
sourcetype="cisco:asa" AND NOT (src_ip="10.0.0.1/8" AND dest_ip="10.0.0.0/8") AND NOT (src_port=53 OR dest_port=53) bytes_in&amp;gt;0&lt;/P&gt;

&lt;P&gt;2)  Works for looking up offender IP addresses (en masse)&lt;BR /&gt;
index=dshield | stats sum(Reports) AS TotalReports by SourceIP | sort 10 -TotalReports&lt;/P&gt;

&lt;P&gt;Thank you kindly,&lt;BR /&gt;
Mark Lachniet&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 18:40:05 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Help-with-query-combining-lookups-from-two-sources-i-e-cisco-asa/m-p/189604#M37767</guid>
      <dc:creator>mlachnietpeckha</dc:creator>
      <dc:date>2020-09-28T18:40:05Z</dc:date>
    </item>
    <item>
      <title>Re: Help with query combining lookups from two sources (i.e. cisco:asa and dshield)</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-query-combining-lookups-from-two-sources-i-e-cisco-asa/m-p/189605#M37768</link>
      <description>&lt;P&gt;I think Splunk lookup fetaure can help in this situation, first you need to generate csv includes the contents from the second query, &lt;/P&gt;

&lt;P&gt;index=dshield | stats sum(Reports) AS TotalReports by SourceIP | sort 10 -TotalReports&lt;/P&gt;

&lt;P&gt;We can run the search query from the linux command line and save output to a file as per the following&lt;BR /&gt;&lt;BR /&gt;
/opt/splunk/bin/splunk search "index=dshield | stats sum(Reports) AS TotalReports by SourceIP | sort 10 -TotalReports earliest="01/21/2015:01:00:00" latest="01/22/2015:01:00:00" " -auth admin:P@ssw0rd &amp;gt; temp.csv&lt;/P&gt;

&lt;P&gt;Modify the file temp.csv by linux tools to have the format you want, assume the final dshield_results.csv file we have is like that:&lt;/P&gt;

&lt;P&gt;cat dshield_results.csv&lt;BR /&gt;
SourceIp,TotalReports&lt;BR /&gt;
10.10.1.2,77&lt;BR /&gt;
10.10.1.3,87&lt;/P&gt;

&lt;P&gt;The above steps can be automated in script to save dshield_results.csv in the following location:&lt;/P&gt;

&lt;P&gt;/opt/splunk/etc/users/admin/search/lookups/&lt;/P&gt;

&lt;P&gt;Then we will define the lookup by adding the following lines to the file /opt/splunk/etc/users/admin/search/local/transforms.conf&lt;/P&gt;

&lt;P&gt;vi /opt/splunk/etc/users/admin/search/local/transforms.conf&lt;/P&gt;

&lt;P&gt;[dshield_lookup]&lt;BR /&gt;
filename = dshield_results.csv&lt;/P&gt;

&lt;P&gt;Then we need to automate the lookup by adding the folloiwng to the file /opt/splunk/etc/users/admin/search/local/props.conf&lt;/P&gt;

&lt;P&gt;vi /opt/splunk/etc/users/admin/search/local/props.conf (in the first line put the sourcetype you want to assign the lookup to it)&lt;/P&gt;

&lt;P&gt;[cisco:asa]&lt;BR /&gt;
LOOKUP-http_auto_lookup = dshield_lookup SourceIp AS dest_ip OUTPUTNEW &lt;/P&gt;

&lt;P&gt;Now you should have two fields SourceIp and TotalReports when you search sourcetype cisco:asa&lt;/P&gt;

&lt;P&gt;Regards,&lt;BR /&gt;
Ahmed Elakwah&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 18:43:45 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Help-with-query-combining-lookups-from-two-sources-i-e-cisco-asa/m-p/189605#M37768</guid>
      <dc:creator>aakwah</dc:creator>
      <dc:date>2020-09-28T18:43:45Z</dc:date>
    </item>
    <item>
      <title>Re: Help with query combining lookups from two sources (i.e. cisco:asa and dshield)</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-query-combining-lookups-from-two-sources-i-e-cisco-asa/m-p/189606#M37769</link>
      <description>&lt;P&gt;Thanks Ahmed, you are awesome.&lt;/P&gt;

&lt;P&gt;I have this partially working.  I know that it is doing a lookup in the CSV file when I try to get results because it was complaining quite a bit when I had a mismatched field title in the CSV.&lt;/P&gt;

&lt;P&gt;However,  neither of those fields are appearing in my searches.   Here is what I have:&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;/data/splunk/etc/users/admin/search/lookups/dshield_processed.csv:&lt;/STRONG&gt;&lt;/P&gt;

&lt;P&gt;SourceIP,TotalReports&lt;BR /&gt;
109.169.45.231,494447&lt;BR /&gt;
91.218.160.70,346386&lt;BR /&gt;
193.107.17.70,313808&lt;BR /&gt;
[...]&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;/data/splunk/etc/users/admin/search/local/transforms.conf:&lt;/STRONG&gt;&lt;/P&gt;

&lt;P&gt;[dshield_processed]&lt;BR /&gt;
filename = dshield_processed.csv&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;/data/splunk/etc/users/admin/search/local/props.conf:&lt;/STRONG&gt;&lt;/P&gt;

&lt;P&gt;[cisco:asa]&lt;BR /&gt;
LOOKUP-http_auto_lookup = dshield_processed SourceIP AS dest_ip OUTPUTNEW&lt;/P&gt;

&lt;P&gt;When I do a search such as the one above, the fields SourceIP and TotalReports are not shown on the list of selectable columns, although other data is returned.  A query to create a table such as the below also shows no data in those fields:&lt;/P&gt;

&lt;P&gt;sourcetype="cisco:asa" AND NOT (src_ip="10.0.0.1/8" AND dest_ip="10.0.0.0/8") AND NOT (src_port=53 OR dest_port=53) bytes_in&amp;gt;0 | table bytes_in src_ip src_port SourceIP dest_port TotalReports&lt;/P&gt;

&lt;P&gt;Somehow those two new fields aren't being "added" to my list of possible fields.  So it is close but I am still doing something wrong.&lt;/P&gt;

&lt;P&gt;By the way, I added a couple IP addresses manually to the CSV file with some values so that I would get back some results, so I don't think its an issue of just not getting any hits.  Unless perhaps it is not re-reading the CSV file?  (I have been restarting the service after I edit it).&lt;/P&gt;

&lt;P&gt;Thank you again for taking the time to help with this.  I will write this up when it is working and share it back as a mini whitepaper or something.&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 18:43:51 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Help-with-query-combining-lookups-from-two-sources-i-e-cisco-asa/m-p/189606#M37769</guid>
      <dc:creator>mlachnietpeckha</dc:creator>
      <dc:date>2020-09-28T18:43:51Z</dc:date>
    </item>
    <item>
      <title>Re: Help with query combining lookups from two sources (i.e. cisco:asa and dshield)</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-query-combining-lookups-from-two-sources-i-e-cisco-asa/m-p/189607#M37770</link>
      <description>&lt;P&gt;It is my pleasure .. &lt;/P&gt;

&lt;P&gt;Actually I got the lines added to configuration files after I created the lookup from web interface, so I think the best way is to create it from we interface to avoid any missing configurations.&lt;/P&gt;

&lt;P&gt;from web interface Settings -&amp;gt; Lookups&lt;/P&gt;

&lt;P&gt;Lookup table files .. to upload the csv file&lt;BR /&gt;
then Lookup definitions&lt;BR /&gt;
then Automatic lookups &lt;BR /&gt;
Lookup input fields:&lt;BR /&gt;
on the left hand side SourceIp and on right hand side dest_ip&lt;/P&gt;

&lt;P&gt;Regards,&lt;BR /&gt;
Ahmed&lt;/P&gt;</description>
      <pubDate>Sat, 24 Jan 2015 09:04:52 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Help-with-query-combining-lookups-from-two-sources-i-e-cisco-asa/m-p/189607#M37770</guid>
      <dc:creator>aakwah</dc:creator>
      <dc:date>2015-01-24T09:04:52Z</dc:date>
    </item>
  </channel>
</rss>

