Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why do I get "Unknown search command '3' when running this query?

Kitag345
Explorer
‎04-14-2023 09:04 AM

I inputlookup ip_spywarelist.csv

| eval ip_range=split(ip,"-")

| eval start_ip=mvindex(ip_range, 0), end_ip=mvindex(ip_range, 1)

| eval start_ip_long=tonumber(split(start_ip,"\\.")[3])

| eval end_ip_long=tonumber(split(end_ip,"\\.")[3])

| eval ip_list=mvrange(start_ip_long,end_ip_long)

| mvexpand ip_list

| eval ip_address=substr(start_ip,1,strlen(start_ip) -length(start_ip_long))

| table ip_address

Notes: When I run this query, I get "Unknown search command '3' (Please don't mind any typos, as I typed the query manually here). Why this query does NOT work?  The idea is to create a correlation search that would generate an alert if either the Src_ip or the dest_ip matches the IP within the IP range (in the ip field) . Since "ip_spywarelist.csv" has a field called "ip" that only contains IP ranges as values, I would like to search among all the IPs in each range not just the Start IP and end IP within the range (i.e: 2.60.13.132-2.60.13.137). I just wanted to verify if the query was working perfectly, before I include it in: index=* sourcetype=* [ | inputlookup ip_spywarelist.csv | ... The CSV file is provided by Splunk under "threat intel." The idea is to create a correlation search using that file which only provide the malicious IPs under IP range format. 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-14-2023 09:54 AM

Text inside square brackets ("[3]" in the query shown) is assumed to be a subsearch.  Subsearches must begin with a valid SPL command, which "3" is not.

It appears as though you are trying to use "[3]" as an array index into the results of the split function.  That's not how to do it, both because of the subsearch feature already mentioned and because Splunk doesn't have arrays.

Since split returns a multi-value field, use the mvindex function to choose one of the values.

| eval start_ip_long=tonumber(mvindex(split(start_ip,"."),3))
| eval end_ip_long=tonumber(mvindex(split(end_ip,"."),3))
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-14-2023 09:54 AM

Text inside square brackets ("[3]" in the query shown) is assumed to be a subsearch.  Subsearches must begin with a valid SPL command, which "3" is not.

It appears as though you are trying to use "[3]" as an array index into the results of the split function.  That's not how to do it, both because of the subsearch feature already mentioned and because Splunk doesn't have arrays.

Since split returns a multi-value field, use the mvindex function to choose one of the values.

| eval start_ip_long=tonumber(mvindex(split(start_ip,"."),3))
| eval end_ip_long=tonumber(mvindex(split(end_ip,"."),3))
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Kitag345
Explorer
‎04-14-2023 10:21 AM

Thank you for your assistance. The query now works!

I also had to replace 'strlen' (which was a mistake as it's not supported by Splunk) by 'len'. 

Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top