Splunk Search

Appending lookup fields into search

weetabixsplunk
Explorer

Hi guys,

 

I'm a splunk noob here and I'm going nuts. I know this is an extremely simple search and I can't get it right.
I'm trying to create a search for remote access applications based on our firewall index.

IP cidr will be pulled from a lookup file (network_assets.csv) and matching to the source ip from my events. There's fields from the lookup file that do not exist in the events. I'm particullarly interested in adding this field called usertags (which is included in the lookup). 

I am using these links as a reference and I can't get it to work.
https://community.splunk.com/t5/Splunk-Search/How-do-I-append-columns-to-a-search-via-inputlookup-wh...

index=fw
| search appcat=Remote.Access
| search app!="RDP" AND app!="WMI.DCERPC"
| lookup network_assets.csv cidr
| eval cidr=src
| search usertags="*server*"
| table src dest app url appcat usertags



My search currently does not give me any results. Any help would be much appreciated

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

It would help to see a sample event or two and a sample row or two from the lookup file. 

It would help immensely if you explained what is meant by "can't get it to work".  What results do you get and how do they not meet expectation?

If the lookup file contains CIDR addresses and the index does not then a lookup definition should be created so you can enable CIDR lookups.  If that's the case then let us know so we can go into detail on that.

FTR, search performance can be improved by moving the search commands into the base search.

index=fw appcat=Remote.Access app!="RDP" app!="WMI.DCERPC"
| lookup network_assets.csv cidr
| eval cidr=src
| search usertags="*server*"
| table src dest app url appcat usertags
---
If this reply helps you, Karma would be appreciated.

View solution in original post

pbarbuto
Path Finder

try "| lookup network_assets.csv OUTPUT cidr AS src"

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It would help to see a sample event or two and a sample row or two from the lookup file. 

It would help immensely if you explained what is meant by "can't get it to work".  What results do you get and how do they not meet expectation?

If the lookup file contains CIDR addresses and the index does not then a lookup definition should be created so you can enable CIDR lookups.  If that's the case then let us know so we can go into detail on that.

FTR, search performance can be improved by moving the search commands into the base search.

index=fw appcat=Remote.Access app!="RDP" app!="WMI.DCERPC"
| lookup network_assets.csv cidr
| eval cidr=src
| search usertags="*server*"
| table src dest app url appcat usertags
---
If this reply helps you, Karma would be appreciated.

weetabixsplunk
Explorer

Idiot me was doing it all wrong and that answer definitely helped! Thank you!! ❤️

0 Karma

weetabixsplunk
Explorer

Thank you so much for responding ❤️

This is what a sample of the lookup would look like  

cidr description AssetId name netNamespace networkId   usertags

10.20.16.0/23London(AD)aaaa-cucuc-5460-9e-98888AD-assetsdefault  Wired|Server
10.10.34.0/24Cancunbb0cuc-9181-51-8957-833357f2a1Virtualizationdefault  Wired|Server

I get a "No results found". I know the search itself does give me results if I input a particular IP address as source, as I know that there's been remote access applications running on server.

0 Karma

weetabixsplunk
Explorer

I get a "No results found". I know the search itself does give me results if I input a particular IP address as source, as I know that there's been remote access applications running on server.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Have you set up advanced options for the lookup, specifically CIDR as the match type?

Define a CSV lookup in Splunk Web - Splunk Documentation

Also, you possibly want to change the lookup to this

| lookup network_assets.csv cidr AS src
0 Karma

weetabixsplunk
Explorer

thank you!!!!!!!!!!!!! 🙂

0 Karma

pbarbuto
Path Finder

Are you sure that there is a column called cidr in your lookup? If you just run the following what do you see?

| inputlookup network_assets.csv

weetabixsplunk
Explorer

I see the lookup itself with the following fields:

cidr description AssetId name Namespace networkId tags usertags

0 Karma

SinghK
Builder

try this

index=fw
| search appcat=Remote.Access
| search app!="RDP" AND app!="WMI.DCERPC"
| lookup network_assets.csv cidr OUTPUT src
| search usertags="*server*"
| table src dest app url appcat usertags

0 Karma

weetabixsplunk
Explorer

I get a Error in 'lookup' command: Cannot find the destination field 'src' in the lookup table 'network_assets.csv'.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...