topic Re: How to search comunication between a inputlookup with some ip's and traffic of an index ? in Splunk Search

How to search comunication between a inputlookup with some ip's and traffic of an index ?

Said7 — Wed, 03 Jan 2018 16:00:29 GMT

Hi, I have a doubt about an inputlookup, i have a inputlookup with some ip's and i want to know how can see comunication between my input and traffic from others indexes?

Re: How to search comunication between a inputlookup with some ip's and traffic of an index ?

Said7 — Wed, 03 Jan 2018 16:05:03 GMT

The index are from a Firewall and i want search comunication between them, and then make a table with some interenting fields.

Re: How to search comunication between a inputlookup with some ip's and traffic of an index ?

lguinn2 — Wed, 03 Jan 2018 20:15:20 GMT

There is no "communication" between data in Splunk.

If you have a lookup table, you can use the inputlookup command (along with other commands) to combine the lookup table data with the events retrieved from indexes.

However, this is a very general statement. There is no way to answer your question without more details.

What are you trying to accomplish? Do you want to see events from your indexes that match the ip addresses in the lookup table?
What data is in the lookup table? Is it just a list of ip addresses?
What data is in the indexes?

If you can answer these questions, and provide a bit of sample data, the community can help.

Re: How to search comunication between a inputlookup with some ip's and traffic of an index ?

gmchenry — Wed, 03 Jan 2018 20:24:22 GMT

Said7, are you asking how to use a lookup table and incorporate it into a search of the Firewall traffic that you have being sent to your Splunk instance?

Thanks!
Glenn

Re: How to search comunication between a inputlookup with some ip's and traffic of an index ?

Said7 — Tue, 29 Sep 2020 17:29:02 GMT

Hi lguinn, thanks for your answer.

i add some data, thanks.

What are you trying to accomplish? Do you want to see events from your indexes that match the ip addresses in the lookup table?

Yeah, i'm looking if some ip are doing match with the data from the inputlookp because the ip´s are identify like bad ip's, and the input only have two fields: ip and info.
What data is in the lookup table? Is it just a list of ip addresses?
In the input are ip´s identify as indicator of compromise from a botnet.
What data is in the indexes?
In the index are logs from a firewall with fiel like ip_src, ip_dst, service, protocol, etc...

Re: How to search comunication between a inputlookup with some ip's and traffic of an index ?

Said7 — Wed, 03 Jan 2018 21:12:13 GMT

Hi Glenn, yeah i want to incorporate a search with the index from the Firewall and the inputlookup. In the input are ip´s identified as a part of a botnet. And in the index are data from a firewall. First i want to see if there are comunication between the internal ip´s with the ip´s from the inputlookup and then could be create a dashboard or an alert.

Thanks for you help.

Re: How to search comunication between a inputlookup with some ip's and traffic of an index ?

micahkemp — Wed, 03 Jan 2018 21:14:54 GMT

This recent answers post may help you.

It contains a nice detailed example of searching IP address indicators from a lookup file.