Splunk Search

How to use a lookup file as a whitelist?

New Member

I'm having problems to use a lookup file as a whitelist. Basically, I have a simple ip address list with CIDR mask appended like:

ip_address
10.20.25.36/20
10.54.22.85/32
192.168.25.14/20

So I uploaded it as PAN_DOS_exceptions.csv, then i defined a stanza in transforms.conf as:

 [PAN_DOS_exceptions]
 filename=PAN_DOS_exceptions.csv
 min_matches = 1
 default_match = NONE
 match_type = CIDR(ip_address) 

Then I used https://my-splunk-server:8000/en-US/debug/refresh to reload the transforms.conf so when I execute the following search:

index="pan_logs" sourcetype=pan_threat log_subtype=flood | NOT [lookup PAN_DOS_exception ip_address AS src_ip]

It returns every entry without filtering the lookup table. The idea is to exclude from the result those ip addresses that are in the lookup table.

Thoughts?

0 Karma

Motivator

Try something like this.

index="pan_logs" sourcetype=pan_threat log_subtype=flood  NOT [ | inputlookup PAN_DOS_exception.csv | rename ip_address AS src_ip | table src_ip | format]

Hope it helps.

0 Karma

Legend

Try this

index="pan_logs" sourcetype=pan_threat log_subtype=flood | lookup PAN_DOS_exception ip_address AS src_ip OUTPUT ip_address | where isnull(ip_address)

New Member

Didn't work...it still does not filter anything. It seems like it just ignores the lookup and bring out every event.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!