Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

BotS - Error in 'lookup' command: Could not find all of the specified destination fields in the lookup table

suspense
Explorer
‎12-13-2022 01:31 AM

Hi,

I am doing Boss of the SOC v1 and I stuck on question, where I need to use lookup. I imported .csv file ad here are my commands:

index=botsv1 dest=192.168.250.70 src="23.22.63.114" http_method=POST
| rex field=form_data "passwd=(?<passwd>[a-zA-Z]{6})"
| lookup coldplay.csv Song as passwd OUTPUTNEW song

 

Error I get:

Error in 'lookup' command: Could not find all of the specified destination fields in the lookup table.
 
I tried to run it and I received the same error.
 
Do you know how can I solve it? 
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎12-13-2022 02:25 AM

That's because your coldplay.csv file doesn't contain a field named song.  OUTPUT or OUTPUTNEW can only take what is found in the lookup.  If your lookup contains a field name poem and you want to rename it song, you have to reference poem first, like

| lookup coldplay.csv Song AS passwd OUTPUTNEW poem AS song

View solution in original post

0 Karma
Reply
Solved! Jump to solution

suspense
Explorer
‎12-13-2022 02:41 AM

This is how my .csv looks like. How can I find which fields I have? I thought name of the column is considered a field? 

 

 cold.PNG

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎12-13-2022 02:44 AM

Yes, the field name is Song, not song.  Also, if the lookup only contains one field, what do you expect to look up?  The purpose of a lookup is to associate a known field value in search result to one or more field values that are only known in the lookup.

0 Karma
Reply
Solved! Jump to solution

suspense
Explorer
‎12-13-2022 02:50 AM

I am trying to do BotS and answer on question:

One of the passwords in the brute force attack is James Brodsky’s favorite Coldplay song. Which six character song is it?

Basically I am trying to import list of Coldplay songs in .csv and compare it with password used for brute force attack. 

 

Here is the answer how the query should look like (probably?):

https://www.aldeid.com/wiki/TryHackMe-BP-Splunk/Advanced-Persitent-Threat##7_-_One_of_the_passwords_... 

index=botsv1 sourcetype=stream:http form_data=*username*passwd*
| rex field=form_data "passwd=(?<userpassword>\w+)"
| eval lenpword=len(userpassword)
| search lenpword=6
| eval password=lower(userpassword)
| lookup coldplay.csv song as password OUTPUTNEW song
| search song=*
| table song

 

0 Karma
Reply
Solved! Jump to solution

suspense
Explorer
‎12-13-2022 03:47 AM

BTW. If you look at this website -theirs syntax with lookup and list that they attached in a link - this syntax just cannot work. I tested in my lab and it does not work. But you helped me to understand that last 'song' must be 'Song' 🙂 Thank you.

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎12-13-2022 02:25 AM

That's because your coldplay.csv file doesn't contain a field named song.  OUTPUT or OUTPUTNEW can only take what is found in the lookup.  If your lookup contains a field name poem and you want to rename it song, you have to reference poem first, like

| lookup coldplay.csv Song AS passwd OUTPUTNEW poem AS song
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top