I am trying to whitelist events from a specific server using IP and hostname. I am running into 2 issues.
I have different field values come up for the same host. (Ex: server1 and 10.2.3.4) I can use inputlookup to remove ip, however I can't figure out how to remove multiple values in the most efficient way.
On another search, I am also whitelisting, but in this case I need to add a whitelist of one server using IP, but for 2 different field values. For context, these are linux auth logs and WinEvent:Security logs.
Base part of search that I'm using for both:
NOT [ | inputlookup ess_whitelist_security.csv | where match(alert_name, "Access - Default Account In Use") | rename src AS rhost | fields rhost ]
I am not sure if your are referring to tagging/rename/alias instead of white list? (terminology issue)
If you have events coming from a same host with both - hostname and IP address, you can use tags to have a common name for both events - eg. myapphost1
your second scenario looks like you want to 'alias' a field.
Even after doing the Field Alias for scenario 2, I am still receiving those events. Seems more to do with my inputlookup language.
Can you give examples and/or explain a bit more of your requirement 2?
I have resolved my issue 2 by using a Field Alias to recognize the field: Source_Network_Address (from WinEventLogs:Security sourcetype) as rhost (Linux sourcetype).
For issue 1, I have attempted the tagging that you suggested and this did not work.
Example of issue one: FieldName: src. Getting field name src=10.X.X.X and src=SERVER1.
SERVER1 is the server with IP 10.X.X.X.
So, for scenario 1 - you have events which have the field 'src' - populated with IP address and some with 'hostnames'. Both are actually from the same server. So, if you do a search like index=yourindex host=* , you should see IP and hostname values for 'host'. So, if you tag events from host=10.X.X.X to MYSERVER1 and similarly tag events with host=SERVER1 to MYSERVER1, you can achieve the same.
what error/issue did you face?