Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to ignore ip_address from events that exist in a lookup table

wtaylor149
Explorer
‎07-01-2015 06:47 AM

Splunk Newbie here....

I'm looking to create a search looking for internal hosts reaching out to external DNS servers. I want to exclude our local internal dns servers as well as the root_dns servers. I have created a lookup table (csv file) that has all the root dns servers. How do I tell my search string to not display the root servers?

Example search:
index=asa dest_port=53 action=blocked dest_ip!=10* AND dest_ip!-172* | use lookup table to remove root_dns_srvrs | stats count by src_ip dest_ip

Thanks for the help. BTW, I don't have access to the cli so if I have to update .conf files, there will be more questions. 🙂

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-07-2015 07:33 AM

Unless your CSV file has more than 10500 lines, this should work:

index=asa dest_port=53 action=blocked dest_ip!=10* AND dest_ip!-172* NOT [|inputlookup your_lookup.csv | fields dest_ip] | stats count by src_ip dest_ip

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-07-2015 07:33 AM

Unless your CSV file has more than 10500 lines, this should work:

index=asa dest_port=53 action=blocked dest_ip!=10* AND dest_ip!-172* NOT [|inputlookup your_lookup.csv | fields dest_ip] | stats count by src_ip dest_ip
0 Karma
Reply
Solved! Jump to solution

wtaylor149
Explorer
‎07-07-2015 12:21 PM

Sorry but this answer does not exclude the IP's that are in the lookup table.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-07-2015 12:32 PM

It most certainly should; did you run it? When you do, click the Job Inspector and check out the Normalized Search. Does it look correct?

0 Karma
Reply
Solved! Jump to solution

kearaspoor
SplunkTrust
SplunkTrust
‎07-01-2015 12:59 PM

Try simply using the lookup table as part of the search string filtering using a NOT statement, instead of the join.

index=asa dest_port=53 action=blocked dest_ip!=10* AND dest_ip!-172* NOT[ inputlookup your_lookup.csv | fields dest_ip]
| stats count by src_ip dest_ip

Reply
Solved! Jump to solution

jordanperks
Path Finder
‎07-01-2015 04:25 PM

This is the best way to do it in my opinion.

0 Karma
Reply
Solved! Jump to solution

wtaylor149
Explorer
‎07-01-2015 05:59 PM

I tried it this way but it did not work.

0 Karma
Reply
Solved! Jump to solution

koshyk
Super Champion
‎07-01-2015 07:01 AM

could you please try...

<your Search> | join type=left dest_ip  [ | inputlookup your_lookup.csv |  fields  dest_ip  | dedup  dest_ip | eval DummyColumn="Table2"| fields dest_ip, DummyColumn]  | search NOT DummyColumn=*

Try doing a "LEFT" join with left column being "your_search" , have atleast two columns from "your_lookup.csv" and on final output compare whichever is NOT null. (The logic is, lookup left -hand data and anything which is not matched on right-hand side will output null values)

OR
another option is:

| search NOT [|inputlookup dns.csv| table destIp | rename destIp as dest_ip]

Just filterint out any specific data

Reply
Solved! Jump to solution

wtaylor149
Explorer
‎07-01-2015 07:43 AM

I'll try to explain, sorry about it but my splunk-foo is just not great.

the query i added - the results in my search are only the root servers that i have listed in the lookup table - which are the ones i don't want to see in my results.

the csv file has 3 columns
dns_name dest_ip exists
a.root-servers.net 198.41.0.4 y
b.root-servers.net 192.228.79.201 y

Unfortunately I am not able to provide samples directly from Splunk. But, the only results I am receiving from the query are the root servers listed in the lookup table.

0 Karma
Reply
Solved! Jump to solution

koshyk
Super Champion
‎07-01-2015 08:12 AM

I've simulated a sample scenario by indexing few random IPs and putting some of the sample as "root_dns_srvrs.csv" and it works correctly.

index=myindex | table ips |head 10| rename ips as dest_ip | join type=left [ |inputlookup root_dns_srvrs.csv|  fields  dest_ip| dedup  dest_ip | eval DummyColumn="Table2"]| search NOT DummyColumn=*

This gave me IP's that are present in "left -hand" list , but NOT present in the dns.csv

0 Karma
Reply
Solved! Jump to solution

wtaylor149
Explorer
‎07-01-2015 10:29 AM

Thank you very much koshyk for your help. This did the trick for the most part. I have this column in my Statistics called DummyColumn that is null, but all the other results are spot on. Thanks again.

0 Karma
Reply
Solved! Jump to solution

wtaylor149
Explorer
‎07-01-2015 07:14 AM

Thanks koshyk but it's not working as expected. Seems I am only pulling the root srvs from the lookup table. Below is the search syntax:

index=asa dest_port=53 action=blocked dest_ip!=10* AND dest_ip!=172* AND | join type=left dest_ip [ | inputlookup root_dns_srvrs.csv | fields dest_ip | dedup dest_ip | eval dummycolumn="dns_name" | fields dest_ip dummycolumn ] | search NOT dummycolumn

my csv file has 3 colums:
dns_name
dest_ip
exists

0 Karma
Reply
Solved! Jump to solution

hanamesh
New Member
‎07-02-2019 09:42 AM

Works fine to me. Thanks!

0 Karma
Reply
Solved! Jump to solution

koshyk
Super Champion
‎07-01-2015 07:30 AM

hmm... not sure I understand when you "only pulling root srvs from lookup". Could you please put few sample events and sample csv file.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...