Splunk Enterprise Security

How to edit my data model search to reference a lookup table?

hmrabet
New Member

Hi All,

I am working on developing a search in Splunk Enterprise Security that will reference a lookup table named "Blacklist.csv" which contains a list of blacklisted IP's under a field called "IP_Blacklist".

I have so far written a search to reference more than one data model. The issue is im not getting any matches against the Blacklisted IP list. There is at least one match that should be brought up.

My current search:

| multisearch [| datamodel "Network_Traffic" "All_Traffic" search] [|datamodel "Authentication" "Authentication" search] [|datamodel "Web" "Web" search] | lookup Blacklist.csv IP_Blacklist
0 Karma

somesoni2
SplunkTrust
SplunkTrust

The lookup command is used to add fields from lookup based on a field. So if you're looking to look at raw events from those data model results for the IP addresses from lookup, I would try like this

| multisearch [| datamodel "Network_Traffic" "All_Traffic" search] [|datamodel "Authentication" "Authentication" search] [|datamodel "Web" "Web" search] | search [| inputlookup Blacklist.csv | table  IP_Blacklist | rename IP_Blacklist as search | format ]

The second subsearch should add a giant OR condition with values of IP_Blacklist field, e.g. ((xx.xx.xx.xx) OR (xx.xx.xx.xx) OR...)

0 Karma

hmrabet
New Member

Thanks that sub search was what i was looking for.

0 Karma

hmrabet2
Observer

If a match was found based on the "IP_Blacklist" field how would I output another field named "comments" field from the same lookup file as a OUTPUT.

I have tried adding the following to the end of the search:

| lookup Blacklist.csv IP_Blacklist OUTPUT comments | table IP_Blacklist, comments

It matches the number of triggered events but the table of results are empty.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Do all the datamodel search result contains the field IP_Blacklist? Also, here what you're doing is lookup for data enrichment (adding fields from your lookup table to search results wherever there is a match) and not filter. I hope that is what you intend to do.

0 Karma

hmrabet2
Observer

The data models don't contain a field named "IP_Blacklist". What I am trying to accomplish is to reference the "IP_Blacklist" field from my lookup file in the search and match this against any IP addresses in the Splunk platform to give me a list of bad IP's.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...