topic Re: Error inputlookup in Splunk Search

How to fix Error inputlookup?

abazgwa21cz — Tue, 31 Jan 2023 17:13:54 GMT

I have an issues with lookup, i create a table

I want to exclude path in lookup table from my search, so i try this query :

index="kaspersky" AND etdn="Object not disinfected" p2 NOT ([ inputlookup FP_malware.csv]) | eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")|stats count by time hip hdn etdn p2 | dedup p2

it seems not working . So how can i fix this ?????
Many thanks !!

Re: Error inputlookup

bowesmana — Tue, 31 Jan 2023 07:54:24 GMT

Your basic problem is that your lookup is

FP_Malware.csv

and your lookup in the search is

FP_malware.csv

upper/lower case.

However, you do not need

p2 NOT ...

Just use

NOT [ | inputlookup ... ]

The response coming back from the subsearch will be p2=x OR p2=y OR p2=z

You can see the format of the subsearch response by doing

| inputlookup FP_malware.csv | format ]

Re: Error inputlookup

gcusello — Tue, 31 Jan 2023 07:54:24 GMT

Hi @abazgwa21cz,

subsearches require that you explicit the fields to use as kay, and they must be the same of the main search.

In other words, if lookup_path is the path in the lookup and path is the field in the search,

then the pipe before the inputlookup command is missing.

At least, in the stats command, why did you use many fields in the BY clause and then dedup, why don't you used directly only p2 in the BY clause.

Ciao.

Giuseppe

Re: Error inputlookup

abazgwa21cz — Tue, 31 Jan 2023 08:05:12 GMT

my mistake . thanks alot it work now

Re: Error inputlookup

gcusello — Tue, 31 Jan 2023 10:52:12 GMT

Hi @abazgwa21cz ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Re: Error inputlookup

abazgwa21cz — Mon, 23 Oct 2023 14:04:26 GMT

Thanks alot , i have one more questions ,

I just install misp42 app in my splunk , and add misp instance to splunk , it work

But i want compare from : index=firewall srcip=10.x.x.x , it my log from firewall , so i want compare dstip with ip-dst from misp to detect unusual access activities , like when dstip=ip-dst : 152.67.251.30 , how can i search this , misp_instance=IP_Block field=value , i just try some search but it not work:

index=firewall srcip=10.x.x.x | mispsearch misp_instance=IP_Block field=value | search dstip=ip=dst | table _time dstip ip-dst value action

It can't get ip-dst from misp instance ,

Can you help me with this OR can i get some solution to resolve this

Many thanks and Best regards !!

Re: Error inputlookup

bowesmana — Mon, 23 Oct 2023 12:35:19 GMT

@abazgwa21cz For a new question, please ask it in a new topic, so that any answers relate to the new question.

Re: Error inputlookup

abazgwa21cz — Tue, 24 Oct 2023 03:44:54 GMT

I did , but no solution receive , Can u help me pls :
https://community.splunk.com/t5/Splunk-Search/Error-Search/m-p/665820#M228449