Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to whitelist combination of fields using lookup table?

utsav45
Explorer
‎10-04-2018 06:46 PM

Hello Experts,

We've got an alert which gets triggered if service is installed on the windows host.

index=winevents sourcetype="WinEventLog:System" EventCode=7045

We want to whitelist combination of service and host. For example if service A is installed on host A then it should be fine. Eventually, list of host-service would grow so we would like to use lookup table.

We have whitelisted single field (src in below example) by creating the lookup table and adding below line in the condition and it works perfectly alright.

| join type=left src [ | inputlookup whitelist.csv | search search_name=my search name exclusion_field=src | rename exclusion_value AS src | eval whitelisted="true"]

| where NOT whitelisted="true"

I tried adding multiple fields in above line but doesn't seem to be working.

What is the best way to address the requirement?

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

maciep
Champion
‎10-07-2018 09:49 AM

what does your whitelist.csv look like?

Typically, you would just use the lookup command (not inputlookup) to lookup fields from your events in the table then output something that would indicate it's whitelisted.

For example let's say your lookup has two fields: host, service. And maybe your events have fields call host_name and service_name. Then maybe something like this?

index=winevents sourcetype="WinEventLog:System" EventCode=7045
| lookup whitelist.csv host AS host_name, service AS service_name OUTPUT host AS found_host
| where isnull(found_host)

View solution in original post

Reply
Solved! Jump to solution
Solution

maciep
Champion
‎10-07-2018 09:49 AM

what does your whitelist.csv look like?

Typically, you would just use the lookup command (not inputlookup) to lookup fields from your events in the table then output something that would indicate it's whitelisted.

For example let's say your lookup has two fields: host, service. And maybe your events have fields call host_name and service_name. Then maybe something like this?

index=winevents sourcetype="WinEventLog:System" EventCode=7045
| lookup whitelist.csv host AS host_name, service AS service_name OUTPUT host AS found_host
| where isnull(found_host)
Reply
Solved! Jump to solution

utsav45
Explorer
‎10-08-2018 07:18 PM

Hi Mate,

Thanks for your reply.

I tried to use lookup command instead of inputlookup and surprisingly it gives me an error "Error in 'lookup' command: Lookups: The lookup table 'utsavtest.csv' does not exist or is not available."

When I try to use the same lookup table using inputlookup command (the one I mentioned previously) then it doesn't provide the error.

I believe permissions should work the same for both the commands. Not sure

I've attached screenshots of lookup table, error while running splunk search and lookup table permissions on below one drive URL.

alt text

Thanks

0 Karma
Reply
Solved! Jump to solution

maciep
Champion
‎10-09-2018 06:51 AM

interesting. I think you can do lookups against the csv directly, but maybe try creating a lookup definition to that csv to see if that works. Settings -> Lookups - > Lookup Definitions.

0 Karma
Reply
Solved! Jump to solution

utsav45
Explorer
‎10-14-2018 05:42 PM

Thanks Mate,

I had to add lookup definitions for newly created lookup table. After which I was able to achieve the requirement using the query you suggested.

Thanks heaps!!

0 Karma
Reply
Solved! Jump to solution

maciep
Champion
‎10-15-2018 04:02 AM

glad it's working!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...