I am working on developing a search in Splunk Enterprise Security that will reference a lookup table named "Blacklist.csv" which contains a list of blacklisted IP's under a field called "IP_Blacklist".
I have so far written a search to reference more than one data model. The issue is im not getting any matches against the Blacklisted IP list. There is at least one match that should be brought up.
My current search:
| multisearch [| datamodel "Network_Traffic" "All_Traffic" search] [|datamodel "Authentication" "Authentication" search] [|datamodel "Web" "Web" search] | lookup Blacklist.csv IP_Blacklist
The lookup command is used to add fields from lookup based on a field. So if you're looking to look at raw events from those data model results for the IP addresses from lookup, I would try like this
| multisearch [| datamodel "Network_Traffic" "All_Traffic" search] [|datamodel "Authentication" "Authentication" search] [|datamodel "Web" "Web" search] | search [| inputlookup Blacklist.csv | table IP_Blacklist | rename IP_Blacklist as search | format ]
The second subsearch should add a giant OR condition with values of IP_Blacklist field, e.g.
((xx.xx.xx.xx) OR (xx.xx.xx.xx) OR...)
Thanks that sub search was what i was looking for.
If a match was found based on the "IP_Blacklist" field how would I output another field named "comments" field from the same lookup file as a OUTPUT.
I have tried adding the following to the end of the search:
| lookup Blacklist.csv IP_Blacklist OUTPUT comments | table IP_Blacklist, comments
It matches the number of triggered events but the table of results are empty.
Do all the datamodel search result contains the field IP_Blacklist? Also, here what you're doing is lookup for data enrichment (adding fields from your lookup table to search results wherever there is a match) and not filter. I hope that is what you intend to do.
The data models don't contain a field named "IP_Blacklist". What I am trying to accomplish is to reference the "IP_Blacklist" field from my lookup file in the search and match this against any IP addresses in the Splunk platform to give me a list of bad IP's.