Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Using lookup table for whitelisting CIDR ranges in...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm brand new to Splunk and I'm having difficulty getting a query to return the results I'm looking for. I've checked the knowledge base and I see references to using transforms.conf and props.conf, but I'm in an Enterprise environment, and I don't have access to change those files.
I have a .csv lookup I've created that contains a column for CIDR ranges and a column to indicate whether the CIDR range should be whitelisted from search results. I'm trying run a query for any SMB that is incoming from the internet. My query is listed below.
index=netfw sourcetype=cisco:asa dest_port=445 NOT Cisco_ASA_action=teardown NOT transport=icmp
| lookup smbwhitelist.csv dest_ip OUTPUTNEW iswhitelist as whitelist
| search NOT whitelist IN ("yes")
This returns all traffic including all the CIDR ranges that I'm trying to whitelist and exclude from the search results. If I remove the NOT from the search, then I receive no results. However, if I manually paste in the CIDR ranges I get results, so I'm missing something.
Any pointers in the right direction would be greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since it is 0, the value is different, or the field does not exist.
Check the value set for ”whitelist ”.
As a result
index=netfw sourcetype=cisco:asa dest_port=445 NOT Cisco_ASA_action=teardown NOT transport=icmp
| lookup smbwhitelist.csv dest_ip OUTPUTNEW iswhitelist as whitelist
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since it is 0, the value is different, or the field does not exist.
Check the value set for ”whitelist ”.
As a result
index=netfw sourcetype=cisco:asa dest_port=445 NOT Cisco_ASA_action=teardown NOT transport=icmp
| lookup smbwhitelist.csv dest_ip OUTPUTNEW iswhitelist as whitelist
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This doesn't return any results but thank you for the suggestion.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the result is not returned so far, it is not a problem of the subsequent condition.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You were correct. I removed the NOT Cisco_ASA_action=teardown NOT transport=icmp and started seeing results. Apparently, my whitelist excluded every alert and there were no other matching record. I appreciate you taking the time to help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @rip_leroi,
Please try this search and let me know how it works.
index=netfw sourcetype=cisco:asa dest_port=445 Cisco_ASA_action!=teardown transport!=icmp
| lookup smbwhitelist.csv dest_ip OUTPUT iswhitelist as whitelist
| search whitelist!="yes"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I appreciate the comment. This returns all results including the CIDR ranges that I'm looking to exclude.
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
