To find the ips hitting the index waf by client ip, if the hitting ips present in lookup table 2 have to be excluded and inplace of policy id we need policyname from lookup table 1, we need only alert from rules to be displayed in the search
ClientIP PolicyID Rules details
194.38.20.161
199.249.230.183
|
xxxx
yyyy
zzzz
|
alert
deny
|
xxxx
xxxx
xxxx
|
lookup 1
PolicyID PolicyName
xxxx | prod |
yyyy | ops |
zzzz | xps |
lookup 2
description IP
xyz | 3.13.1561.11/16 |
abc | 6.18.293.133/32 |
sdfdh | 9.18.53.54/8 |
aftiml | 2.57.344.66/64 |
Client_IP PolicyName Rules details
194.38.20.161
199.249.230.183
192.456.46.92
|
prod
ops
xps
|
alert
alert
alert
|
xydihflaf
hdkafhfh
yedukak
|
Ciao
The first step is to define lookup 2. Go to Settings->Lookups->Lookup definitions and add a new definition. Map the lookup to the CSV file containing the data. Most importantly, check the Advanced Options box and enter CIDR(IP) in the Match type box.
Once that's done you can create a search.
<<your base search>>
```See if the client IP address is in the exclusion table```
| lookup lookup2 IP as ClientIP OUTPUT description
```If the description field is null then the IP is not in the exclusion table```
| where isnull(description)
```Get the policy name```
| lookup lookup2.csv PolicyID OUTPUT PolicyName
| table ClientIP PolicyName Rules details
This lookup command is not working ..
| lookup lookup1.csv IP as ClientIP OUTPUT description
| lookup lookup2.csv PolicyID OUTPUT PolicyName
| table ClientIP PolicyName Rules details
same ips address should not be diaplayed in search
we have to exclude the ips present in the lookup table .
thanks
Which lookup command is not working, first, second, or both? Please share the exact query you are using.
Note that the first lookup command uses a lookup definition rather than a lookup file. The where command is necessary to exclude IPs present in the lookup table.
There are many apps in splunkbase that offer whois lookups.
You still haven't answered my questions.