Solved: Re: Compare fields without wildcards

quangnm21 · ‎12-27-2023

Hello everyone, I'm a beginner in using Splunk. I'm facing an issue in finding a search solution for the following idea: I'm logging the deletion behavior of files, and I have whitelisted some important files in a lookup. If the file_path in the event matches any of the file_paths in my lookup file, then it should produce a result.

Here is the initial search, and it found 2 file_paths.

This is my lookup file.

Here is my search, but it's not working correctly.

Thank you, everyone, for reading!

dtburrows3 · ‎12-27-2023

You should be able to set up "Match Type" configuration under advanced settings when defining a lookup definition for your CSV.

Example of its usage on my local instance

SPL used to simulate (you would need to insert your file_paths in the evals to test this)

| makeresults
    | eval
        file_path="/opt/splunk/etc/apps/custom_app/metadata/local.meta"
    | append
        [
            | makeresults
                | eval
                    file_path="/opt/splunk/etc/apps/custom_app/metadata/default.meta"
            ]
    
    | lookup file_deleted file_path OUTPUT file_path as deleted_path
    
    ```
    | where isnotnull(deleted_path)
    ```

View solution in original post

dtburrows3 · ‎12-27-2023

You should be able to set up "Match Type" configuration under advanced settings when defining a lookup definition for your CSV.

Example of its usage on my local instance

SPL used to simulate (you would need to insert your file_paths in the evals to test this)

| makeresults
    | eval
        file_path="/opt/splunk/etc/apps/custom_app/metadata/local.meta"
    | append
        [
            | makeresults
                | eval
                    file_path="/opt/splunk/etc/apps/custom_app/metadata/default.meta"
            ]
    
    | lookup file_deleted file_path OUTPUT file_path as deleted_path
    
    ```
    | where isnotnull(deleted_path)
    ```

quangnm21 · ‎12-27-2023

@dtburrows3 ,Thank you very much; the knowledge is truly helpful.

quangnm21 · ‎12-27-2023

Hi, @dtburrows3

I'm still having trouble understanding this query. My goal is to retrieve the file_path field in the event and compare it with a lookup file containing files that should not be deleted. If the file_path in my event matches a file in the lookup file, then the alert should be triggered. Similar to blacklisting malicious IP addresses.

dtburrows3 · ‎12-27-2023

So to use your original SPL you posted, it would look something like this.

| from datamodel Endpoint.Filesystem | search action=deleted AND Image IN ("*powershell.exe", "*cmd.exe")
| lookup files_deleted file_path OUTPUT file_path as path_lookup
| where isnotnull(path_lookup)

This method assumes that the field "file_path" is properly extracted from your events and that you have enabled the match_type WILDCARD(file_path) setting in the lookup definition.

If the field value from "file_path" in the events matches any entry in the lookup, including wildcards, it will return a net-new field to your event named "path_lookup". If an event does not match an entry in the lookup then there will be no new field returned for that event.

The final where clause in the search will only keep the events where a match was made against the lookup.

Compare fields without wildcards

lookup

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation