Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

BotS - Error in 'lookup' command: Could not find all of the specified destination fields in the lookup table

suspense
Explorer
‎12-13-2022 01:31 AM

Hi,

I am doing Boss of the SOC v1 and I stuck on question, where I need to use lookup. I imported .csv file ad here are my commands:

index=botsv1 dest=192.168.250.70 src="23.22.63.114" http_method=POST
| rex field=form_data "passwd=(?<passwd>[a-zA-Z]{6})"
| lookup coldplay.csv Song as passwd OUTPUTNEW song

 

Error I get:

Error in 'lookup' command: Could not find all of the specified destination fields in the lookup table.
 
I tried to run it and I received the same error.
 
Do you know how can I solve it? 
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎12-13-2022 02:25 AM

That's because your coldplay.csv file doesn't contain a field named song.  OUTPUT or OUTPUTNEW can only take what is found in the lookup.  If your lookup contains a field name poem and you want to rename it song, you have to reference poem first, like

| lookup coldplay.csv Song AS passwd OUTPUTNEW poem AS song

View solution in original post

0 Karma
Reply
Solved! Jump to solution

suspense
Explorer
‎12-13-2022 02:41 AM

This is how my .csv looks like. How can I find which fields I have? I thought name of the column is considered a field? 

 

 cold.PNG

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎12-13-2022 02:44 AM

Yes, the field name is Song, not song.  Also, if the lookup only contains one field, what do you expect to look up?  The purpose of a lookup is to associate a known field value in search result to one or more field values that are only known in the lookup.

0 Karma
Reply
Solved! Jump to solution

suspense
Explorer
‎12-13-2022 02:50 AM

I am trying to do BotS and answer on question:

One of the passwords in the brute force attack is James Brodsky’s favorite Coldplay song. Which six character song is it?

Basically I am trying to import list of Coldplay songs in .csv and compare it with password used for brute force attack. 

 

Here is the answer how the query should look like (probably?):

https://www.aldeid.com/wiki/TryHackMe-BP-Splunk/Advanced-Persitent-Threat##7_-_One_of_the_passwords_... 

index=botsv1 sourcetype=stream:http form_data=*username*passwd*
| rex field=form_data "passwd=(?<userpassword>\w+)"
| eval lenpword=len(userpassword)
| search lenpword=6
| eval password=lower(userpassword)
| lookup coldplay.csv song as password OUTPUTNEW song
| search song=*
| table song

 

0 Karma
Reply
Solved! Jump to solution

suspense
Explorer
‎12-13-2022 03:47 AM

BTW. If you look at this website -theirs syntax with lookup and list that they attached in a link - this syntax just cannot work. I tested in my lab and it does not work. But you helped me to understand that last 'song' must be 'Song' 🙂 Thank you.

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎12-13-2022 02:25 AM

That's because your coldplay.csv file doesn't contain a field named song.  OUTPUT or OUTPUTNEW can only take what is found in the lookup.  If your lookup contains a field name poem and you want to rename it song, you have to reference poem first, like

| lookup coldplay.csv Song AS passwd OUTPUTNEW poem AS song
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...