Splunk Search

How to edit my search to return events with an IP that originate from a Country in a lookup file?

Explorer

I have a search for my IDS / IPS systems feeding Splunk. I want to evaluate all the IDS/IPS events that have triggered and check any of the srcip or destip that originate from an embargoed country. I have a lookup table with one column called Country. I've tried a few different searches, but none have returned any results. I imagine there must be an eval statement I'm missing somewhere...not sure.

Search:

index=ids_ips [|inputlookup embargoed_countries.csv | fields Country] |dedup src_ip dest_ip|iplocation src_ip|fillnull value=No_Country_Defined Country|table src_ip dest_ip Country
0 Karma
1 Solution

Legend

Maybe this will help
index=idsips |dedup srcip destip |iplocation srcip|search [|inputlookup embargoedcountries.csv | fields Country] |table srcip dest_ip Country

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

How do you map the country to a srcip and/or destip? Do the event sin index=ids_ips have Country field in them?

0 Karma

Explorer

That's kind of what I'm trying to accomplish. Run a search in the idsips index (i add the country with the "iplocation srcip" command). Evaluate the Country from the search against the csv file looking for matches. Hope that makes sense.
Search returns:
src_ip Country
2.2.2.2 United States (don't show in the results)
5.5.5.5 Somalia (show in the results)

0 Karma

SplunkTrust
SplunkTrust

Then try the answer by @sundareshr. Validate the lookup table name and the name of the country field (it should match with your search result).

0 Karma

Legend

Maybe this will help
index=idsips |dedup srcip destip |iplocation srcip|search [|inputlookup embargoedcountries.csv | fields Country] |table srcip dest_ip Country

View solution in original post

0 Karma

Explorer

Not sure what happened but the search worked. Thank you for your help.

0 Karma

Explorer

Unfortunately this search did not do the trick. It only returned 12 lines and all from the same country. I know I have more than a few embargoed_countries banging on the door.

0 Karma

SplunkTrust
SplunkTrust

Run this and find the count by countries. Then compare the results from above query if that is correct or not

index=ids_ips |dedup src_ip dest_ip |iplocation src_ip | stats count by Country
0 Karma