Splunk Enterprise Security

Tstats with inputlookup to check for a malicious IP with the authentication datamodel

New Member

Here is my SPL, what am I doing wrong?

|tstats count from datamodel=Authentication where ([|inputlookup threatconnect_ip_indicators.csv | fields ip | rename IP AS Authentication.src]) by Authentication.src, Authentication.user, Authentication.dest, Authentication.action
|rename Authentication.src as SRC, Authentication.user as USER, Authentication.dest as DEST, Authentication.action as ACTION
|table USER SRC DEST ACTION count
0 Karma

SplunkTrust
SplunkTrust

Hi,

Please try below query, also make sure that IP address column header is case sensitive in inputlookup command

|tstats count from datamodel=Authentication where ([ inputlookup threatconnect_ip_indicators.csv | fields ip | rename ip AS Authentication.src | format ]) by Authentication.src, Authentication.user, Authentication.dest, Authentication.action
|rename Authentication.src as SRC, Authentication.user as USER, Authentication.dest as DEST, Authentication.action as ACTION
|table USER SRC DEST ACTION count
0 Karma