Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find the ips hitting the index waf?

balu1211
Path Finder
‎11-26-2022 02:46 AM

To find the ips hitting the index waf by client ip, if the hitting ips  present in  lookup table 2 have to be excluded and inplace of policy id we need policyname  from lookup table 1, we need only alert  from rules to be displayed in the search

ClientIP PolicyID Rules details  

194.38.20.161
199.249.230.183
 
xxxx
yyyy
zzzz
alert
deny
 
xxxx
 xxxx
 xxxx

 

lookup 1 

PolicyID PolicyName

xxxx prod
yyyy ops
zzzz xps

 

lookup 2

description            IP

xyz 3.13.1561.11/16
abc 6.18.293.133/32
sdfdh 9.18.53.54/8
aftiml 2.57.344.66/64

 

Client_IP PolicyName Rules details  

194.38.20.161
199.249.230.183
192.456.46.92
prod
ops
xps
alert
alert
alert
xydihflaf
 hdkafhfh
 yedukak

 

Ciao

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-26-2022 01:46 PM

The first step is to define lookup 2.  Go to Settings->Lookups->Lookup definitions and add a new definition.  Map the lookup to the CSV file containing the data.  Most importantly, check the Advanced Options box and enter CIDR(IP) in the Match type box.

Once that's done you can create a search.

<<your base search>>
```See if the client IP address is in the exclusion table```
| lookup lookup2 IP as ClientIP OUTPUT description
```If the description field is null then the IP is not in the exclusion table```
| where isnull(description)
```Get the policy name```
| lookup lookup2.csv PolicyID OUTPUT PolicyName
| table ClientIP PolicyName Rules details
---
If this reply helps you, Karma would be appreciated.
Reply

balu1211
Path Finder
‎11-27-2022 10:00 AM

Hi @richgalloway 

This  lookup command is not working .. 

| lookup lookup1.csv IP as ClientIP OUTPUT description

| lookup lookup2.csv PolicyID OUTPUT PolicyName        
| table ClientIP PolicyName Rules details

same ips address should not be diaplayed in search 

we have to exclude the ips present in the lookup table .

 

thanks

 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-27-2022 02:25 PM

Which lookup command is not working, first, second, or both?  Please share the exact query you are using.

Note that the first lookup command uses a lookup definition rather than a lookup file.  The where command is necessary to exclude IPs present in the lookup table.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

balu1211
Path Finder
‎12-12-2022 04:20 AM
  • @richgalloway 
  • @
  • How to  implement whois lookups for ip address hitting waf .
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-12-2022 07:06 AM

There are many apps in splunkbase that offer whois lookups.

You still haven't answered my questions.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...