Splunk Enterprise Security

How to edit my data model search to reference a lookup table?

New Member

Hi All,

I am working on developing a search in Splunk Enterprise Security that will reference a lookup table named "Blacklist.csv" which contains a list of blacklisted IP's under a field called "IP_Blacklist".

I have so far written a search to reference more than one data model. The issue is im not getting any matches against the Blacklisted IP list. There is at least one match that should be brought up.

My current search:

| multisearch [| datamodel "Network_Traffic" "All_Traffic" search] [|datamodel "Authentication" "Authentication" search] [|datamodel "Web" "Web" search] | lookup Blacklist.csv IP_Blacklist
0 Karma

SplunkTrust
SplunkTrust

The lookup command is used to add fields from lookup based on a field. So if you're looking to look at raw events from those data model results for the IP addresses from lookup, I would try like this

| multisearch [| datamodel "Network_Traffic" "All_Traffic" search] [|datamodel "Authentication" "Authentication" search] [|datamodel "Web" "Web" search] | search [| inputlookup Blacklist.csv | table  IP_Blacklist | rename IP_Blacklist as search | format ]

The second subsearch should add a giant OR condition with values of IP_Blacklist field, e.g. ((xx.xx.xx.xx) OR (xx.xx.xx.xx) OR...)

0 Karma

New Member

Thanks that sub search was what i was looking for.

0 Karma

New Member

If a match was found based on the "IP_Blacklist" field how would I output another field named "comments" field from the same lookup file as a OUTPUT.

I have tried adding the following to the end of the search:

| lookup Blacklist.csv IP_Blacklist OUTPUT comments | table IP_Blacklist, comments

It matches the number of triggered events but the table of results are empty.

0 Karma

SplunkTrust
SplunkTrust

Do all the datamodel search result contains the field IP_Blacklist? Also, here what you're doing is lookup for data enrichment (adding fields from your lookup table to search results wherever there is a match) and not filter. I hope that is what you intend to do.

0 Karma

New Member

The data models don't contain a field named "IP_Blacklist". What I am trying to accomplish is to reference the "IP_Blacklist" field from my lookup file in the search and match this against any IP addresses in the Splunk platform to give me a list of bad IP's.

0 Karma