Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why do I get "Unknown search command '3' when running this query?

Kitag345
Explorer
‎04-14-2023 09:04 AM

I inputlookup ip_spywarelist.csv

| eval ip_range=split(ip,"-")

| eval start_ip=mvindex(ip_range, 0), end_ip=mvindex(ip_range, 1)

| eval start_ip_long=tonumber(split(start_ip,"\\.")[3])

| eval end_ip_long=tonumber(split(end_ip,"\\.")[3])

| eval ip_list=mvrange(start_ip_long,end_ip_long)

| mvexpand ip_list

| eval ip_address=substr(start_ip,1,strlen(start_ip) -length(start_ip_long))

| table ip_address

Notes: When I run this query, I get "Unknown search command '3' (Please don't mind any typos, as I typed the query manually here). Why this query does NOT work?  The idea is to create a correlation search that would generate an alert if either the Src_ip or the dest_ip matches the IP within the IP range (in the ip field) . Since "ip_spywarelist.csv" has a field called "ip" that only contains IP ranges as values, I would like to search among all the IPs in each range not just the Start IP and end IP within the range (i.e: 2.60.13.132-2.60.13.137). I just wanted to verify if the query was working perfectly, before I include it in: index=* sourcetype=* [ | inputlookup ip_spywarelist.csv | ... The CSV file is provided by Splunk under "threat intel." The idea is to create a correlation search using that file which only provide the malicious IPs under IP range format. 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-14-2023 09:54 AM

Text inside square brackets ("[3]" in the query shown) is assumed to be a subsearch.  Subsearches must begin with a valid SPL command, which "3" is not.

It appears as though you are trying to use "[3]" as an array index into the results of the split function.  That's not how to do it, both because of the subsearch feature already mentioned and because Splunk doesn't have arrays.

Since split returns a multi-value field, use the mvindex function to choose one of the values.

| eval start_ip_long=tonumber(mvindex(split(start_ip,"."),3))
| eval end_ip_long=tonumber(mvindex(split(end_ip,"."),3))
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-14-2023 09:54 AM

Text inside square brackets ("[3]" in the query shown) is assumed to be a subsearch.  Subsearches must begin with a valid SPL command, which "3" is not.

It appears as though you are trying to use "[3]" as an array index into the results of the split function.  That's not how to do it, both because of the subsearch feature already mentioned and because Splunk doesn't have arrays.

Since split returns a multi-value field, use the mvindex function to choose one of the values.

| eval start_ip_long=tonumber(mvindex(split(start_ip,"."),3))
| eval end_ip_long=tonumber(mvindex(split(end_ip,"."),3))
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Kitag345
Explorer
‎04-14-2023 10:21 AM

Thank you for your assistance. The query now works!

I also had to replace 'strlen' (which was a mistake as it's not supported by Splunk) by 'len'. 

Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...