Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to blacklist lookup for syslogs?

splunkboob
Explorer
‎03-30-2022 12:54 AM

I have a blacklist.csv file that looks like the following,

 

IP domain
1.0.136.29 # 2018-11-12, node-1lp.pool-1-0.dynamic.totbb.net, THA, 2
1.0.136.215 # 2018-10-06, node-1qv.pool-1-0.dynamic.totbb.net, THA, 2

 

i want to scan my syslog events and see if any IP address match the IPs in this blacklist.

a syslog event looks like this:

Feb 7 03:32:31 Router kernel: [WAN_IN-3009-A]IN=eth0 OUT=eth1.100 MAC=18:e8:29:44:40:ac:00:1d:aa:a2:78:axxxxxx src=128.199.123.0 DST=192.168.100.207 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=52834 DF PROTO=TCP SPT=38290 DPT=8194 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x64800000

i already set up a lookup definition and lookup table, but i dont know exactly how to put up a search to display if a syslog even matches an IP in the blacklist.csv

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-30-2022 01:14 AM

Assuming src and DST are already extracted and you don't already have a domain field extracted in your events, you could try this:

| lookup blacklist.csv IP as src
| lookup blacklist.csv IP as DST
| where isnotnull(domain)

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-30-2022 01:14 AM

Assuming src and DST are already extracted and you don't already have a domain field extracted in your events, you could try this:

| lookup blacklist.csv IP as src
| lookup blacklist.csv IP as DST
| where isnotnull(domain)
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...