topic Re: How to use lookup to return true or false value depending on specific result in Splunk Search

How to use lookup to return true or false value depending on specific result

agolkar — Thu, 07 Nov 2019 03:23:07 GMT

Hello,

I am having trouble figuring out where to even start.....
Here is my scenario.

I have a search that is showing me open ports on a system based on a vulnerability scan:

index=vuln_scanner | stats count by dest_dns dest_ip port protocol

Here is an example of the search result:

dest_dns | dest_ip | port | protocol

hi.com | 10.1.1.1 | 80 | tcp | 12
bye.com | 10.2.2.2 | 22 | tcp | 12
splunk.com | 10.3.3.3 | 53 | udp | 5
test.com | 10.4.4.4 | 80 | tcp | 4
nope.com | 10.5.5.5 | 22 | tcp | 3

I have a lookup called "allowed_ports.csv" that includes a list of ports that I have "allowed" (expect to be open) that looks something like this:

1. comment, dest_port, is_allowed, transport
2. http, 80, true, tcp
3. dns, 53, true, udp

How can I make my search query add a column into the results table to show if a certain port is allowed or not? I want something to sort of look like this based on the values in the lookup:

dest_dns | dest_ip | port | protocol | is_allowed

hi.com | 10.1.1.1 | 80 | tcp | true | 12
bye.com | 10.2.2.2 | 22 | tcp | false | 12
splunk.com | 10.3.3.3 | 53 | udp | true | 5
test.com | 10.4.4.4 | 80 | tcp | true | 4
nope.com | 10.5.5.5 | 22 | tcp | false | 3

Instead of true/false I am okay with showing 0/1 or yes/no. Any help would be greatly appreciated.

Re: How to use lookup to return true or false value depending on specific result

arjunpkishore5 — Thu, 07 Nov 2019 05:49:33 GMT

This should work

index=vuln_scanner 
| stats count by dest_dns dest_ip port protocol
| lookup allowed_ports.csv transport as protocol, dest_port as port OUTPUT is_allowed

Please mark a s answer if this is what you were looking for.
Cheers

Re: How to use lookup to return true or false value depending on specific result

agolkar — Thu, 07 Nov 2019 17:58:58 GMT

Hello! Thank you for the response. Unfortunately I am getting the following error:

Error in 'lookup' command: Could not construct lookup 'allowed_ports.csv, transport, as, protocol, dest_port, as, port, OUTPUT, is_allowed'. See search.log for more details.

Re: How to use lookup to return true or false value depending on specific result

arjunpkishore5 — Thu, 07 Nov 2019 18:48:24 GMT

Hi @agolkar

Have you added additional commas? Could you please paste the line with your lookup command here?

Re: How to use lookup to return true or false value depending on specific result

agolkar — Thu, 07 Nov 2019 20:23:42 GMT

Sure, here you go:

| lookup allowed_ports.csv transport as protocol, dest_port as port OUTPUT is_allowed