topic Re: blacklist lookup for syslogs in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-blacklist-lookup-for-syslogs/m-p/591435#M205896 <P>Assuming src and DST are already extracted and you don't already have a domain field extracted in your events, you could try this:</P><LI-CODE lang="markup">| lookup blacklist.csv IP as src | lookup blacklist.csv IP as DST | where isnotnull(domain)</LI-CODE> Wed, 30 Mar 2022 08:14:26 GMT ITWhisperer 2022-03-30T08:14:26Z How to blacklist lookup for syslogs? https://community.splunk.com/t5/Splunk-Search/How-to-blacklist-lookup-for-syslogs/m-p/591428#M205891 <P>I have a blacklist.csv file that looks like the following,</P> <P>&nbsp;</P> <TABLE border="0" cellspacing="0"> <TBODY> <TR> <TD height="17">IP</TD> <TD>domain</TD> </TR> <TR> <TD height="17">1.0.136.29</TD> <TD># 2018-11-12, node-1lp.pool-1-0.dynamic.totbb.net, THA, 2</TD> </TR> <TR> <TD height="17">1.0.136.215</TD> <TD># 2018-10-06, node-1qv.pool-1-0.dynamic.totbb.net, THA, 2</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>i want to scan my syslog events and see if any IP address match the IPs in this blacklist.</P> <P>a syslog event looks like this:</P> <P><SPAN class="">Feb</SPAN> <SPAN class="">7</SPAN> <SPAN class="">03:32:31</SPAN> <SPAN class="">Router</SPAN> <SPAN class="">kernel:</SPAN> [<SPAN class="">WAN_IN-3009-A</SPAN>]<SPAN class="">IN=eth0</SPAN> <SPAN class="">OUT=eth1.100</SPAN> <SPAN class="">MAC=18:e8:29:44:40:ac:00:1d:aa:a2:78:axxxxxx</SPAN> <SPAN class="">src=128.199.123.0</SPAN> <SPAN class="">DST=192.168.100.207</SPAN> <SPAN class="">LEN=60</SPAN> <SPAN class="">TOS=0x00</SPAN> <SPAN class="">PREC=0x00</SPAN> <SPAN class="">TTL=47</SPAN> <SPAN class="">ID=52834</SPAN> <SPAN class="">DF</SPAN> <SPAN class="">PROTO=TCP</SPAN> <SPAN class="">SPT=38290</SPAN> <SPAN class="">DPT=8194</SPAN> <SPAN class="">WINDOW=29200</SPAN> <SPAN class="">RES=0x00</SPAN> <SPAN class="">SYN</SPAN> <SPAN class="">URGP=0</SPAN> <SPAN class="">MARK=0x64800000</SPAN></P> <P><SPAN class="">i already set up a lookup definition and lookup table, but i dont know exactly how to put up a search to display if a syslog even matches an IP in the blacklist.csv</SPAN></P> Wed, 30 Mar 2022 16:15:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-blacklist-lookup-for-syslogs/m-p/591428#M205891 splunkboob 2022-03-30T16:15:54Z Re: blacklist lookup for syslogs https://community.splunk.com/t5/Splunk-Search/How-to-blacklist-lookup-for-syslogs/m-p/591435#M205896 <P>Assuming src and DST are already extracted and you don't already have a domain field extracted in your events, you could try this:</P><LI-CODE lang="markup">| lookup blacklist.csv IP as src | lookup blacklist.csv IP as DST | where isnotnull(domain)</LI-CODE> Wed, 30 Mar 2022 08:14:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-blacklist-lookup-for-syslogs/m-p/591435#M205896 ITWhisperer 2022-03-30T08:14:26Z