Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a look up table with "*&" or "any" field?

Erfan
Explorer
‎03-28-2023 10:04 PM

Hi

I am trying to whitelist some traffic from my search. So I decided to create a look up table including src ip, dst ip, username, dst port, src zone.

for example:

src_ip dest_ip src_zone dest_port user whitelisted
* * center * * TRUE
172.16.20.44 13.58.90.11 * 443 Alice TRUE
* 128.221.236.246 * 443 * TRUE
192.168.12.03 * * * * TRUE
172.16.20.13 * * * * TRUE
192.168.26.4 * * * * TRUE
192.168.26.8 198.160.25.74 * 443 * TRUE
192.168.26.9 198.160.25.87 * * * TRUE
* 142.250.70.174 * * * TRUE
           

 

but the problem is the search matches when all cells related to fields which are called in lookup command have values, but it does not match (does not whitelist) if a cell has "*" or "Any"  value.

| lookup whitelisttest.csv src_ip as src_ip dest_ip as dest_ip dest_port as dest_port user as user
| where isnull(whitelisted)

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎04-03-2023 08:11 AM

You can add as many wildcard lookup fields as needed. This is the instruction from Splunk Web (GUI)

Optionally set up non-exact matching of a comma-and-space-delimited field list. Format is <match_type>(<field_name>). Available values for match_type are WILDCARD and CIDR.

No need for CUI.

View solution in original post

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎03-29-2023 02:02 AM

Will match_type WILDCARD help?  See Create a CSV lookup definition.

0 Karma
Reply
Solved! Jump to solution

Erfan
Explorer
‎03-29-2023 04:43 PM

Thanks for your response. 

I created a look up definition and in match type I entered:  WILDCARD(dest_ip)

I expected to see all result except traffic from 172.16.20.13:

172.16.20.13****TRUE

 

but it did not showed any records. I mean it remove all result not only whitelisted.

 

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎03-30-2023 12:39 AM

You need to give more details about your data with illustration, including an explanation of key characteristics, and illustrate the desired results.

If every event contains these four fields, src_ip, dest_ip, dest_port, and user, your lookup

| lookup whitelisttest.csv src_ip dest_ip dest_port user ``` no need to use "as" annotator if the name is the same ```​

will always return whitelisted "TRUE".  This is because in addition to the row you just quoted, you also have this row

src_ipdest_ipsrc_zonedest_portuserwhitelisted
**center**TRUE

In other words, the whild card search is working exactly as you asked.

In fact, I suggested wildcard only because you entered "*" in the table.  Splunk's lookup also supports CIDR match.  This is probably more appropriate for IP address filtering.  Just food for thought.

0 Karma
Reply
Solved! Jump to solution

Erfan
Explorer
‎03-30-2023 09:26 PM

Thank you Yuanliu

let me rephrase my question, maybe lookup is not a good solution for my problem.

Actually I want to whitelist following traffic on search of fortigate's logs:

Traffic from 172.16.20.12 to every where

traffic from 192.168.26.8 to 198.160.25.74

traffic from every where to 142.250.70.174

traffic from any to any related to a specific user (Alice)

 

All records include all fields.

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎03-30-2023 11:25 PM

Suitability is always defined by the data and requirements.  In the case you described, you can still use lookup to establish the desired whitelist.  For example, if you use match_type WILDCARD in every field, you can say

src_ipdest_ipsrc_zonedest_portuserwhitelisted
172.16.20.12*center**TRUE
192.168.26.8
198.160.25.74center**TRUE
*142.250.70.174center**TRUE
**center*AliceTRUE

and use the same search

| lookup whitelisttest.csv src_ip dest_ip dest_port user
| where isnull(whitelisted)

Now, if you want future ability to use CIDR for more granular control, set src_ip and dest_ip to use CIDR, and change lookup to

src_ipdest_ipsrc_zonedest_portuserwhitelisted
172.16.20.12/320.0.0.0/0center**TRUE
192.168.26.8/32
198.160.25.74/32center**TRUE
0.0.0.0/0142.250.70.174/32center**TRUE
0.0.0.0/00.0.0.0/0center*AliceTRUE

Hope this helps.

Reply
Solved! Jump to solution

Erfan
Explorer
‎04-02-2023 05:01 PM

Thank you so much.

The only vague part for me is that how to create match type for wildcard on all fields in GUI version.

I think this works for CUI: 
field1,field2,field3,output_field,match_type

value1,value2,value3,output_value,*

 

But I do not have acccess to CUI and it is just GUI. So I defined WILDCARD(*) but did not work.

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎04-03-2023 08:11 AM

You can add as many wildcard lookup fields as needed. This is the instruction from Splunk Web (GUI)

Optionally set up non-exact matching of a comma-and-space-delimited field list. Format is <match_type>(<field_name>). Available values for match_type are WILDCARD and CIDR.

No need for CUI.

Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...