Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alert if src_ip or dest_ip exists in lookup table

chillsgrove
Explorer
‎07-12-2016 04:42 PM

I want to create an alert that triggers when a src_ip OR dest_ip exists in a lookup table (e.g. threat_ip_list.csv). But I'm not sure how to create the search string for this. The fields I'm using in the threat_ip_list lookup table are as follows:

src_ip, dest_ip, threat_country, threat_name
(NOTE: The src_ip and dest_ip field values are duplicates of each other in the lookup table.)

If the src_ip OR dest_ip matches an IP address listed in the table, the alert should trigger and provide the threat_country and threat_name information. Any recommendations on how to do this are greatly appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎07-12-2016 07:04 PM

Try like this

your search to get ip_address field which contains the ip | lookup threat_ip_list.csv src_ip as ip_address OUTPUT threat_country as threat_country1, threat_name as threat_name1 | lookup threat_ip_list.csv dest_ip as ip_address OUTPUT threat_country as threat_country2, threat_name as threat_name2 | where isnotnull(threat_country1) OR isnotnull(threat_country2) | eval threat_country=coalesce(threat_country1,threat_country2) | eval threat_name=coalesce(threat_name1,threat_name2)| table ip_address threat_country threat_name

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎07-12-2016 07:04 PM

Try like this

your search to get ip_address field which contains the ip | lookup threat_ip_list.csv src_ip as ip_address OUTPUT threat_country as threat_country1, threat_name as threat_name1 | lookup threat_ip_list.csv dest_ip as ip_address OUTPUT threat_country as threat_country2, threat_name as threat_name2 | where isnotnull(threat_country1) OR isnotnull(threat_country2) | eval threat_country=coalesce(threat_country1,threat_country2) | eval threat_name=coalesce(threat_name1,threat_name2)| table ip_address threat_country threat_name
0 Karma
Reply
Solved! Jump to solution

chillsgrove
Explorer
‎07-13-2016 01:48 PM

Thank you. I ran the search you provided. Had problems with the "lookup threat_ip_list.csv src_ip as ip_address" and "lookup threat_ip_list.csv dest_ip as ip_address" lines. But I worked around it by adding src_ip and dest_ip fields in the lookup table and giving them equivalent ip values and removing the "as ip_address" from the search string.

Everything else worked great!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-12-2016 06:01 PM

Try this 

index=somelogs [|inputlookup threat_ip_list.csv | table src_ip | rename src_ip AS search ]
0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...