Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a search to compare a lookup CSV file of blacklisted IPs with firewall logs?

sumit29
Path Finder
‎11-24-2015 04:07 AM

Hi All,

I have a blacklisted IP CSV file (Placed in lookup folder of search(app)). I need to compare with firewall logs if any blacklisted IP is allowed in our network. Please help to create the search to display the results.

0 Karma
Reply

renjujacob88
Path Finder
‎04-04-2017 11:37 AM

| inputlookup ipblacklist.csv | search [ search index=firewall | dedup src/dstip | fields srcip ]

0 Karma
Reply

jet1276
Path Finder
‎08-17-2016 03:13 AM

your search | rename src as IP (rename your search's field name you want to compare such as source or destination IP address with what you have in your lookup) | join IP [ inputlookup blacklistedips.csv ] | stats count by (field(s) you want in your output)

0 Karma
Reply

woodcock
Esteemed Legend
‎11-24-2015 12:25 PM

Assuming both of your sources have a field called ip (if not, you will have to do some name normalization), like this:

... | eval type="firewall" | appendpipe [|inputlookup ipblacklist.csv | eval type="blacklist"] | stats values(*) AS * dc(type) AS numTypes by ip | where numTypes=2
0 Karma
Reply

DMohn
Motivator
‎11-24-2015 05:19 AM

You can use inputlookupin conjunction with a join to solve this task.

Depending on the field names in your search (they need to be identical - for the example I will asssume that the field is named ip) your search can look like this:

 | inputlookup ipblacklist.csv | join type=inner ip [ search your_firewall_search | fields ip ]

This will return all IP addresses in both your inputlookup and your search,

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...