Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find the ips hitting the index waf?

balu1211
Path Finder
‎11-26-2022 02:46 AM

To find the ips hitting the index waf by client ip, if the hitting ips  present in  lookup table 2 have to be excluded and inplace of policy id we need policyname  from lookup table 1, we need only alert  from rules to be displayed in the search

ClientIP PolicyID Rules details  

194.38.20.161
199.249.230.183
 
xxxx
yyyy
zzzz
alert
deny
 
xxxx
 xxxx
 xxxx

 

lookup 1 

PolicyID PolicyName

xxxx prod
yyyy ops
zzzz xps

 

lookup 2

description            IP

xyz 3.13.1561.11/16
abc 6.18.293.133/32
sdfdh 9.18.53.54/8
aftiml 2.57.344.66/64

 

Client_IP PolicyName Rules details  

194.38.20.161
199.249.230.183
192.456.46.92
prod
ops
xps
alert
alert
alert
xydihflaf
 hdkafhfh
 yedukak

 

Ciao

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-26-2022 01:46 PM

The first step is to define lookup 2.  Go to Settings->Lookups->Lookup definitions and add a new definition.  Map the lookup to the CSV file containing the data.  Most importantly, check the Advanced Options box and enter CIDR(IP) in the Match type box.

Once that's done you can create a search.

<<your base search>>
```See if the client IP address is in the exclusion table```
| lookup lookup2 IP as ClientIP OUTPUT description
```If the description field is null then the IP is not in the exclusion table```
| where isnull(description)
```Get the policy name```
| lookup lookup2.csv PolicyID OUTPUT PolicyName
| table ClientIP PolicyName Rules details
---
If this reply helps you, Karma would be appreciated.
Reply

balu1211
Path Finder
‎11-27-2022 10:00 AM

Hi @richgalloway 

This  lookup command is not working .. 

| lookup lookup1.csv IP as ClientIP OUTPUT description

| lookup lookup2.csv PolicyID OUTPUT PolicyName        
| table ClientIP PolicyName Rules details

same ips address should not be diaplayed in search 

we have to exclude the ips present in the lookup table .

 

thanks

 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-27-2022 02:25 PM

Which lookup command is not working, first, second, or both?  Please share the exact query you are using.

Note that the first lookup command uses a lookup definition rather than a lookup file.  The where command is necessary to exclude IPs present in the lookup table.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

balu1211
Path Finder
‎12-12-2022 04:20 AM
  • @richgalloway 
  • @
  • How to  implement whois lookups for ip address hitting waf .
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-12-2022 07:06 AM

There are many apps in splunkbase that offer whois lookups.

You still haven't answered my questions.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...