Splunk Enterprise Security

How to build a lookup list without fields

rtalcik
Path Finder

Is it possible to import a lot of IP addresses into a lookup list and search the lookup list without assigning the addresses to a specific field?

Basically I want to search from the lookup to act as if as I just typed 10.X.X.X into the search bar.

I know this isnt the best way to do it but right now I want to be able to search for that IP accross all indexes and each index have different field names for it

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @rtalcik,
it isn't possible to have a lookup without fields and there's no sense in this.
But if you want to run a search without fields or (better) in all the raw events, you can use this approach:

index=your_index [ | inputlookup your_lookup.csv | rename your_field AS query | fields query ]
| ...

in this way, the content of the your _field column of your_lookup.csv is searched in all the raw events in full text search mode.

Ciao.
Giuseppe

View solution in original post

0 Karma

to4kawa
Ultra Champion
 index=your_index [ | inputlookup your_lookup.csv | stats values(your_field) AS query | eval query=mvjoin(query, " OR ") |fields query ]

Just to be sure

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rtalcik,
it isn't possible to have a lookup without fields and there's no sense in this.
But if you want to run a search without fields or (better) in all the raw events, you can use this approach:

index=your_index [ | inputlookup your_lookup.csv | rename your_field AS query | fields query ]
| ...

in this way, the content of the your _field column of your_lookup.csv is searched in all the raw events in full text search mode.

Ciao.
Giuseppe

0 Karma

rtalcik
Path Finder

okay so I would be able to add the list of IPs to the filed, rename the field then query off that for the search in raw event logs and such. ill try it

0 Karma

rtalcik
Path Finder

so need some help because it didnt work

sourcetype=cisco*
[| inputlookup EmotetIP.csv
| rename IP as query
| fields query
]

What I am trying to accomplish is basically building the list so I can set up an alert if a Log comes in that matches an IP in this list

0 Karma

afx
Contributor

What did not work?
Put an address that you know is in the cisco index into the CSV and try then to make sure you have a positive test.
cheers
afx

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...