Splunk Enterprise Security

Why do I get "Unknown search command '3' when running this query?

Kitag345
Explorer

I inputlookup ip_spywarelist.csv

| eval ip_range=split(ip,"-")

| eval start_ip=mvindex(ip_range, 0), end_ip=mvindex(ip_range, 1)

| eval start_ip_long=tonumber(split(start_ip,"\\.")[3])

| eval end_ip_long=tonumber(split(end_ip,"\\.")[3])

| eval ip_list=mvrange(start_ip_long,end_ip_long)

| mvexpand ip_list

| eval ip_address=substr(start_ip,1,strlen(start_ip) -length(start_ip_long))

| table ip_address

Notes: When I run this query, I get "Unknown search command '3' (Please don't mind any typos, as I typed the query manually here). Why this query does NOT work?  The idea is to create a correlation search that would generate an alert if either the Src_ip or the dest_ip matches the IP within the IP range (in the ip field) . Since "ip_spywarelist.csv" has a field called "ip" that only contains IP ranges as values, I would like to search among all the IPs in each range not just the Start IP and end IP within the range (i.e: 2.60.13.132-2.60.13.137). I just wanted to verify if the query was working perfectly, before I include it in: index=* sourcetype=* [ | inputlookup ip_spywarelist.csv | ... The CSV file is provided by Splunk under "threat intel." The idea is to create a correlation search using that file which only provide the malicious IPs under IP range format. 

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Text inside square brackets ("[3]" in the query shown) is assumed to be a subsearch.  Subsearches must begin with a valid SPL command, which "3" is not.

It appears as though you are trying to use "[3]" as an array index into the results of the split function.  That's not how to do it, both because of the subsearch feature already mentioned and because Splunk doesn't have arrays.

Since split returns a multi-value field, use the mvindex function to choose one of the values.

| eval start_ip_long=tonumber(mvindex(split(start_ip,"."),3))
| eval end_ip_long=tonumber(mvindex(split(end_ip,"."),3))
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Text inside square brackets ("[3]" in the query shown) is assumed to be a subsearch.  Subsearches must begin with a valid SPL command, which "3" is not.

It appears as though you are trying to use "[3]" as an array index into the results of the split function.  That's not how to do it, both because of the subsearch feature already mentioned and because Splunk doesn't have arrays.

Since split returns a multi-value field, use the mvindex function to choose one of the values.

| eval start_ip_long=tonumber(mvindex(split(start_ip,"."),3))
| eval end_ip_long=tonumber(mvindex(split(end_ip,"."),3))
---
If this reply helps you, Karma would be appreciated.
0 Karma

Kitag345
Explorer

Thank you for your assistance. The query now works!

I also had to replace 'strlen' (which was a mistake as it's not supported by Splunk) by 'len'. 

Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...