We have 3 main site-codes in our environment and we are trying to implement a lookup table via Splunk. Here is what we have done so far. We created a Python script for asset discovery that we are running daily. Upon these results, we created a directory to where these results save at, and we created an index and a stanza to monitor these files daily.
The data we receive from the results of the scan we are trying to put into a lookup table for easier searching. Such as
index=vuln_test source=asset_disc 3389_state=open AND cred_success=False
| lookup site_code, corresponding IP, (and results of the scan)
once you have define your lookup then use |outputlookup command to store the results of scan.
try this:
index=vuln_test source=asset_disc 3389_state=open AND cred_success=False|table site_code, corresponding IP, (and results of the scan)|outputlookup <lookupFileName>
This is good information, but I'm not entirely sure on how to get this to be able to search
for creation of csv type lookup refer:
http://docs.splunk.com/Documentation/SplunkCloud/7.0.0/Knowledge/Usefieldlookupstoaddinformationtoyo...
and how outputlookup works refer:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Outputlookup