Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alert if src_ip or dest_ip exists in lookup table

chillsgrove
Explorer
‎07-12-2016 04:42 PM

I want to create an alert that triggers when a src_ip OR dest_ip exists in a lookup table (e.g. threat_ip_list.csv). But I'm not sure how to create the search string for this. The fields I'm using in the threat_ip_list lookup table are as follows:

src_ip, dest_ip, threat_country, threat_name
(NOTE: The src_ip and dest_ip field values are duplicates of each other in the lookup table.)

If the src_ip OR dest_ip matches an IP address listed in the table, the alert should trigger and provide the threat_country and threat_name information. Any recommendations on how to do this are greatly appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-12-2016 07:04 PM

Try like this

your search to get ip_address field which contains the ip | lookup threat_ip_list.csv src_ip as ip_address OUTPUT threat_country as threat_country1, threat_name as threat_name1 | lookup threat_ip_list.csv dest_ip as ip_address OUTPUT threat_country as threat_country2, threat_name as threat_name2 | where isnotnull(threat_country1) OR isnotnull(threat_country2) | eval threat_country=coalesce(threat_country1,threat_country2) | eval threat_name=coalesce(threat_name1,threat_name2)| table ip_address threat_country threat_name

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-12-2016 07:04 PM

Try like this

your search to get ip_address field which contains the ip | lookup threat_ip_list.csv src_ip as ip_address OUTPUT threat_country as threat_country1, threat_name as threat_name1 | lookup threat_ip_list.csv dest_ip as ip_address OUTPUT threat_country as threat_country2, threat_name as threat_name2 | where isnotnull(threat_country1) OR isnotnull(threat_country2) | eval threat_country=coalesce(threat_country1,threat_country2) | eval threat_name=coalesce(threat_name1,threat_name2)| table ip_address threat_country threat_name
0 Karma
Reply
Solved! Jump to solution

chillsgrove
Explorer
‎07-13-2016 01:48 PM

Thank you. I ran the search you provided. Had problems with the "lookup threat_ip_list.csv src_ip as ip_address" and "lookup threat_ip_list.csv dest_ip as ip_address" lines. But I worked around it by adding src_ip and dest_ip fields in the lookup table and giving them equivalent ip values and removing the "as ip_address" from the search string.

Everything else worked great!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-12-2016 06:01 PM

Try this 

index=somelogs [|inputlookup threat_ip_list.csv | table src_ip | rename src_ip AS search ]
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...