Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I edit my search to compare a list of IPs from a lookup to IPs in firewall logs?

CYBR_AH
Explorer
‎11-04-2015 02:45 PM

I'm still new to Splunk and trying to figure out the correct syntax for lookups.

My goal is to compare a list of known IPs associated with a botnet and see if there is any traffic to/from the IPs in the firewall logs.

index=firewall_logs sourcetype=cisco:asa [ | inputlookup bad_ips.csv | fields IP ]

This returns nothing. What else am I missing? Thanks in advance!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎11-04-2015 03:24 PM

Hi CYBR_AH,

run the search using return instead fields :

index=firewall_logs sourcetype=cisco:asa | [ | inputlookup bad_ips.csv | return 999 IP ]

This will return the results from the lookup file as this string:

(IP="1.1.1.1") OR (IP="2.2.2.2") ....

which will be used in the base search, so the search be in the end:

index=firewall_logs sourcetype=cisco:asa (IP="1.1.1.1") OR (IP="2.2.2.2") ....

Read the docs on return to learn more details http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Return

Hope this helps ...

cheers, MuS

Update:

Sorry the first one was wrong! Try this instead:

 | inputlookup bad_ips.csv | search [ search index=firewall_logs sourcetype=cisco:asa | dedup IP | fields IP ]

Hope this makes more sense ...

View solution in original post

0 Karma
Reply
Solved! Jump to solution

vinitashinde94
New Member
‎07-25-2019 05:36 AM

where do ve upload .csv file in splunk which contains list of IPs?

0 Karma
Reply
Solved! Jump to solution
Solution

MuS
Legend
‎11-04-2015 03:24 PM

Hi CYBR_AH,

run the search using return instead fields :

index=firewall_logs sourcetype=cisco:asa | [ | inputlookup bad_ips.csv | return 999 IP ]

This will return the results from the lookup file as this string:

(IP="1.1.1.1") OR (IP="2.2.2.2") ....

which will be used in the base search, so the search be in the end:

index=firewall_logs sourcetype=cisco:asa (IP="1.1.1.1") OR (IP="2.2.2.2") ....

Read the docs on return to learn more details http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Return

Hope this helps ...

cheers, MuS

Update:

Sorry the first one was wrong! Try this instead:

 | inputlookup bad_ips.csv | search [ search index=firewall_logs sourcetype=cisco:asa | dedup IP | fields IP ]

Hope this makes more sense ...

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎11-04-2015 03:34 PM

update ping...

0 Karma
Reply
Solved! Jump to solution

CYBR_AH
Explorer
‎11-04-2015 08:35 PM

I tried 

index=firewall_logs sourcetype=cisco:asa | [ | inputlookup bad_ips.csv | return 999 $IP] | stats count by dest_ip

and it worked. This gave me a really good starting point. Thanks for your help! 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...