https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-search-to-compare-a-list-of-IPs-from-a-lookup/m-p/213692#M62686 <P>I'm still new to Splunk and trying to figure out the correct syntax for lookups.</P> <P>My goal is to compare a list of known IPs associated with a botnet and see if there is any traffic to/from the IPs in the firewall logs.</P> <PRE><CODE>index=firewall_logs sourcetype=cisco:asa [ | inputlookup bad_ips.csv | fields IP ] </CODE></PRE> <P>This returns nothing. What else am I missing? Thanks in advance!</P> Wed, 04 Nov 2015 22:45:41 GMT CYBR_AH 2015-11-04T22:45:41Z https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-search-to-compare-a-list-of-IPs-from-a-lookup/m-p/213692#M62686 <P>I'm still new to Splunk and trying to figure out the correct syntax for lookups.</P> <P>My goal is to compare a list of known IPs associated with a botnet and see if there is any traffic to/from the IPs in the firewall logs.</P> <PRE><CODE>index=firewall_logs sourcetype=cisco:asa [ | inputlookup bad_ips.csv | fields IP ] </CODE></PRE> <P>This returns nothing. What else am I missing? Thanks in advance!</P> Wed, 04 Nov 2015 22:45:41 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-search-to-compare-a-list-of-IPs-from-a-lookup/m-p/213692#M62686 CYBR_AH 2015-11-04T22:45:41Z https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-search-to-compare-a-list-of-IPs-from-a-lookup/m-p/213693#M62687 <P>Hi CYBR_AH,</P> <P>run the search using <CODE>return</CODE> instead <CODE>fields</CODE> :</P> <PRE><CODE>index=firewall_logs sourcetype=cisco:asa | [ | inputlookup bad_ips.csv | return 999 IP ] </CODE></PRE> <P>This will return the results from the lookup file as this string:</P> <PRE><CODE>(IP="1.1.1.1") OR (IP="2.2.2.2") .... </CODE></PRE> <P>which will be used in the base search, so the search be in the end:</P> <PRE><CODE>index=firewall_logs sourcetype=cisco:asa (IP="1.1.1.1") OR (IP="2.2.2.2") .... </CODE></PRE> <P>Read the docs on <CODE>return</CODE> to learn more details <A href="http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Return">http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Return</A></P> <P>Hope this helps ...</P> <P>cheers, MuS</P> <P><STRONG>Update:</STRONG></P> <P>Sorry the first one was wrong! Try this instead:</P> <PRE><CODE> | inputlookup bad_ips.csv | search [ search index=firewall_logs sourcetype=cisco:asa | dedup IP | fields IP ] </CODE></PRE> <P>Hope this makes more sense ...</P> Wed, 04 Nov 2015 23:24:11 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-search-to-compare-a-list-of-IPs-from-a-lookup/m-p/213693#M62687 MuS 2015-11-04T23:24:11Z https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-search-to-compare-a-list-of-IPs-from-a-lookup/m-p/213694#M62688 <P>update ping...</P> Wed, 04 Nov 2015 23:34:37 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-search-to-compare-a-list-of-IPs-from-a-lookup/m-p/213694#M62688 MuS 2015-11-04T23:34:37Z https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-search-to-compare-a-list-of-IPs-from-a-lookup/m-p/213695#M62689 <P>I tried </P> <PRE><CODE>index=firewall_logs sourcetype=cisco:asa | [ | inputlookup bad_ips.csv | return 999 $IP] | stats count by dest_ip </CODE></PRE> <P>and it worked. This gave me a really good starting point. Thanks for your help! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 05 Nov 2015 04:35:07 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-search-to-compare-a-list-of-IPs-from-a-lookup/m-p/213695#M62689 CYBR_AH 2015-11-05T04:35:07Z https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-search-to-compare-a-list-of-IPs-from-a-lookup/m-p/213696#M62690 <P>where do ve upload .csv file in splunk which contains list of IPs?</P> Thu, 25 Jul 2019 12:36:32 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-search-to-compare-a-list-of-IPs-from-a-lookup/m-p/213696#M62690 vinitashinde94 2019-07-25T12:36:32Z