I'm trying to find all firewall denied and passing a stats command to it, but I have a list of ip's that it should be excluded in the stats.
deny AND NOT [excluded src ip list in here] | stats count by src | search count > 2
The requirement would be that the exclusion list be in a file that I could just put the search to avoid having to write excessively on the search box.
Yes, you can make a lookup file. If you had a file with:
ip, optionalotherfield1, anotherfield
1.1.2.3, x ,y
3.4.6.7, abc,def
5.6.7.8, 123,444
defined as a lookup file called excludedip.csv, you would just do:
deny AND NOT [ inputlookup excludedips.csv | fields ip ] | stats count by src
You can refine this by giving the csv file a logical name in Splunk, and you can also use outputlookup
in jobs to generate the contents of the csv file from other data.
Yes, you can make a lookup file. If you had a file with:
ip, optionalotherfield1, anotherfield
1.1.2.3, x ,y
3.4.6.7, abc,def
5.6.7.8, 123,444
defined as a lookup file called excludedip.csv, you would just do:
deny AND NOT [ inputlookup excludedips.csv | fields ip ] | stats count by src
You can refine this by giving the csv file a logical name in Splunk, and you can also use outputlookup
in jobs to generate the contents of the csv file from other data.
perfect, thanks!
Yes, it can be done. Using the example
10.0.0.1 iptables: deny: IN= OUT=eth0 SRC=1.1.1.1 DST=2.2.2.2 LEN=89 TOS=0x00 PREC=0x00 TTL=64 ID=6102 DF PROTO=TCP SPT=443 DPT=52483 WINDOW=248 RES=0x00 ACK PSH FIN URGP=0
deny NOT SRC=1.1.1.1 NOT SRC=x.x.x.x NOT SRC=x.x.x.x etc etc
why not make it an eventtype?
Thanks, can these "NOT"s be in a file instead of in the search? I also updated the question. Sorry about not supplying this requirement earlier.