Splunk Search

Check IP against lookup file with IP/CIDRs.

zhatsispgx
Path Finder

Hi all,

I am new to using lookups and I'm a bit confused. I've created a lookup file on my splunk instance called combined-threatlist.csv which has data in it like this:

head /opt/splunk/etc/apps/search/lookups/combined-threatlist.csv

threatip
1.11.244.148/32
1.20.70.243/32
1.27.3.227/32
1.28.125.6/32
1.28.164.232/32
1.28.205.33/32
1.28.206.193/32
1.31.87.35/32
1.32.200.68/32

I have firewall logs sourcetype=pan:traffic that I would like to see if either the src_ip or dest_ip field values match on any of the CIDR/hosts listed in the lookup file. How would I go about doing this? I created the lookup definition named threatlistlookup, and created the lookup table file as well combined-threatlist.csv.

0 Karma

jkat54
SplunkTrust
SplunkTrust

... | eval srcMatch=if(searchmatch([|inputlookup yourlookup| format]),”1”,”0”)

Same for dest but change the field names.

0 Karma

zhatsispgx
Path Finder

Error in 'eval' command: The arguments to the 'searchmatch' function are invalid.
for search:

index=palo sourcetype="pan:threat" | eval srcMatch=if(searchmatch(src_ip,"[|inputlookup threatlistlookup | format]"),"1","0")

0 Karma

jkat54
SplunkTrust
SplunkTrust

I edited the answer, can you try the new search and let me know? Thanks!

0 Karma

zhatsispgx
Path Finder

index=palo sourcetype="pan:threat" | eval srcMatch=if(searchmatch(src_ip,”[|inputlookup threatlistlookup | format]”),”1”,”0”)

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '” ( ( threatip="1.11.244.148/32" ) OR ( threatip="1.20.70.243/32" ) OR ( threatip="1.27.3.227/32" ) OR ( threatip="1.28.125.6/32" ) OR ( threatip="1.28.164.232/32" ) OR ( threatip="1.28.205.33/32" ) OR ( threatip="1.28.206.193/32" ) OR ( threatip="1.31.87.35/32" ) OR ( threatip="1.32.200.68/32" ) OR ( threatip="1.32.200.98/32" ) OR ( threatip="1.34.2.152/32" ) OR ( threatip="1.34.39.59/32" ) OR ( threatip="1.34.49.237/32" ) OR ( threatip="1.34.110.55/32" ) OR ( threatip="1.34.113.192/32" ) OR ( threatip="1.34.209.148/32" ) OR ( threatip="1.36.29.156/32" ) OR ( threatip="1.36.56.213/32" ) OR ( threatip="1.36.83.89/32" ) OR ( threatip="1.36.162.207/32" ) OR ( threatip="1.48.68.27/32" ) ... ,”1”,”0”)'.

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...