Splunk Search

Compare fields without wildcards

quangnm21
Explorer

Hello everyone, I'm a beginner in using Splunk. I'm facing an issue in finding a search solution for the following idea: I'm logging the deletion behavior of files, and I have whitelisted some important files in a lookup. If the file_path in the event matches any of the file_paths in my lookup file, then it should produce a result.

quangnm21_0-1703690865476.png

Here is the initial search, and it found 2 file_paths.

quangnm21_1-1703690928479.png

This is my lookup file.

quangnm21_2-1703690965454.png

Here is my search, but it's not working correctly.

Thank you, everyone, for reading!

Labels (2)
0 Karma
1 Solution

dtburrows3
Builder

You should be able to set up "Match Type" configuration under advanced settings when defining a lookup definition for your CSV.

dtburrows3_0-1703692114980.png


Example of its usage on my local instance

dtburrows3_1-1703692160205.png

SPL used to simulate (you would need to insert your file_paths in the evals to test this)

| makeresults
    | eval
        file_path="/opt/splunk/etc/apps/custom_app/metadata/local.meta"
    | append
        [
            | makeresults
                | eval
                    file_path="/opt/splunk/etc/apps/custom_app/metadata/default.meta"
            ]
    
    | lookup file_deleted file_path OUTPUT file_path as deleted_path
    
    ```
    | where isnotnull(deleted_path)
    ```

View solution in original post

dtburrows3
Builder

You should be able to set up "Match Type" configuration under advanced settings when defining a lookup definition for your CSV.

dtburrows3_0-1703692114980.png


Example of its usage on my local instance

dtburrows3_1-1703692160205.png

SPL used to simulate (you would need to insert your file_paths in the evals to test this)

| makeresults
    | eval
        file_path="/opt/splunk/etc/apps/custom_app/metadata/local.meta"
    | append
        [
            | makeresults
                | eval
                    file_path="/opt/splunk/etc/apps/custom_app/metadata/default.meta"
            ]
    
    | lookup file_deleted file_path OUTPUT file_path as deleted_path
    
    ```
    | where isnotnull(deleted_path)
    ```

quangnm21
Explorer

@dtburrows3 ,Thank you very much; the knowledge is truly helpful.

0 Karma

quangnm21
Explorer

Hi, @dtburrows3 

I'm still having trouble understanding this query. My goal is to retrieve the file_path field in the event and compare it with a lookup file containing files that should not be deleted. If the file_path in my event matches a file in the lookup file, then the alert should be triggered. Similar to blacklisting malicious IP addresses.

0 Karma

dtburrows3
Builder

So to use your original SPL you posted, it would look something like this.

| from datamodel Endpoint.Filesystem | search action=deleted AND Image IN ("*powershell.exe", "*cmd.exe")
| lookup files_deleted file_path OUTPUT file_path as path_lookup
| where isnotnull(path_lookup)


This method assumes that the field "file_path" is properly extracted from your events and that you have enabled the match_type WILDCARD(file_path) setting in the lookup definition.

If the field value from "file_path" in the events matches any entry in the lookup, including wildcards, it will return a net-new field to your event named "path_lookup". If an event does not match an entry in the lookup then there will be no new field returned for that event.

The final where clause in the search will only keep the events  where a match was made against the lookup.

Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...