Splunk Search

How to create a search to compare a lookup CSV file of blacklisted IPs with firewall logs?

sumit29
Path Finder

Hi All,

I have a blacklisted IP CSV file (Placed in lookup folder of search(app)). I need to compare with firewall logs if any blacklisted IP is allowed in our network. Please help to create the search to display the results.

0 Karma

renjujacob88
Path Finder

| inputlookup ipblacklist.csv | search [ search index=firewall | dedup src/dstip | fields srcip ]

0 Karma

jet1276
Path Finder

your search | rename src as IP (rename your search's field name you want to compare such as source or destination IP address with what you have in your lookup) | join IP [ inputlookup blacklistedips.csv ] | stats count by (field(s) you want in your output)

0 Karma

woodcock
Esteemed Legend

Assuming both of your sources have a field called ip (if not, you will have to do some name normalization), like this:

... | eval type="firewall" | appendpipe [|inputlookup ipblacklist.csv | eval type="blacklist"] | stats values(*) AS * dc(type) AS numTypes by ip | where numTypes=2
0 Karma

DMohn
Motivator

You can use inputlookupin conjunction with a join to solve this task.

Depending on the field names in your search (they need to be identical - for the example I will asssume that the field is named ip) your search can look like this:

 | inputlookup ipblacklist.csv | join type=inner ip [ search your_firewall_search | fields ip ]

This will return all IP addresses in both your inputlookup and your search,

0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...