Hi all,
I am new to using lookups and I'm a bit confused. I've created a lookup file on my splunk instance called combined-threatlist.csv
which has data in it like this:
head /opt/splunk/etc/apps/search/lookups/combined-threatlist.csv
threatip
1.11.244.148/32
1.20.70.243/32
1.27.3.227/32
1.28.125.6/32
1.28.164.232/32
1.28.205.33/32
1.28.206.193/32
1.31.87.35/32
1.32.200.68/32
I have firewall logs sourcetype=pan:traffic
that I would like to see if either the src_ip
or dest_ip
field values match on any of the CIDR/hosts listed in the lookup file. How would I go about doing this? I created the lookup definition named threatlistlookup
, and created the lookup table file as well combined-threatlist.csv
.
... | eval srcMatch=if(searchmatch([|inputlookup yourlookup| format]),”1”,”0”)
Same for dest but change the field names.
Error in 'eval' command: The arguments to the 'searchmatch' function are invalid.
for search:
index=palo sourcetype="pan:threat" | eval srcMatch=if(searchmatch(src_ip,"[|inputlookup threatlistlookup | format]"),"1","0")
I edited the answer, can you try the new search and let me know? Thanks!
index=palo sourcetype="pan:threat" | eval srcMatch=if(searchmatch(src_ip,”[|inputlookup threatlistlookup | format]”),”1”,”0”)
Error in 'eval' command: The expression is malformed. An unexpected character is reached at '” ( ( threatip="1.11.244.148/32" ) OR ( threatip="1.20.70.243/32" ) OR ( threatip="1.27.3.227/32" ) OR ( threatip="1.28.125.6/32" ) OR ( threatip="1.28.164.232/32" ) OR ( threatip="1.28.205.33/32" ) OR ( threatip="1.28.206.193/32" ) OR ( threatip="1.31.87.35/32" ) OR ( threatip="1.32.200.68/32" ) OR ( threatip="1.32.200.98/32" ) OR ( threatip="1.34.2.152/32" ) OR ( threatip="1.34.39.59/32" ) OR ( threatip="1.34.49.237/32" ) OR ( threatip="1.34.110.55/32" ) OR ( threatip="1.34.113.192/32" ) OR ( threatip="1.34.209.148/32" ) OR ( threatip="1.36.29.156/32" ) OR ( threatip="1.36.56.213/32" ) OR ( threatip="1.36.83.89/32" ) OR ( threatip="1.36.162.207/32" ) OR ( threatip="1.48.68.27/32" ) ... ,”1”,”0”)'.