Splunk Search

How to use lookup to exclude a list of user_names and service_file_names

Darksynergy
Explorer

I am trying to run a search that shows executibles that are run by any user on my network. Yet I want to exclude the search with typically run service .exe's and assocuated service user accounts. I have searched throughout the Splunk website and have done a fair amount of googling on how this can be done but had no success in my search. I have added what I have been trying to achieve below.

Can anyone help me figure out how to achieve this?

*.exe NOT ("Specific-Service-Account") NOT ("Specific-Service-Account1") NOT ("dsmod.exe") NOT $ NOT [| inputlookup ExclusionList.csv | ("User_Name") OR ("Image_File_Name")] | stats count by User_Name, Image_File_Name, host | sort count desc

Tags (1)
0 Karma

cmeo
Contributor

You can add a flag to your lookup to tell the next part of the pipeline what to do.

e.g.

file.csv:
thing, exclude
some_user,1
other_user,1

Define the lookup as minimum match = 1 and fill unmatched values with 0.

then in your search

event_stream| lookup yourlookup thing | search exclude=0 | do something to what's left

much easier to maintain...

0 Karma

Darksynergy
Explorer

Thanks to all of you that gave me some pointers on a direction to go to with addressing my issue. I ended going with something a little less complex in regards to using a table as a lookup for exclusions. Because I was only going to be having 10-15 service accounts and services that I that needed to be excluded, I chose to go with the following:

**.exe NOT ("Specific-Service-Account") NOT ("Specific-Service-Account1") NOT ("dsmod.exe") NOT $ NOT (ServiceAccount OR WHATEVER.exe) NOT (ServiceAccount1 OR WHATEVER1.exe) NOT (ServiceAccount2 OR WHATEVER2.exe) NOT (ServiceAccount3 OR WHATEVER3.exe) | stats count by User_Name, Image_File_Name, host | sort count desc*

0 Karma

Ayn
Legend

I don't see format there? Anyway, two errors that I can see right away: you're missing a pipe before inputlookup. Also after the first pipe you don't have a command at all? Just something that seems to be meant to be search filters?

Darksynergy
Explorer

Ayn:

Original search:

*.exe NOT ("Specific-Service-Account") NOT ("Specific-Service-Account1") NOT ("dsmod.exe") NOT $ NOT [| inputlookup ExclusionList.csv | ("User_Name") OR ("Image_File_Name")] | stats count by User_Name, Image_File_Name, host | sort count desc

Running search as you suggested:

inputlookup ExclusionList.csv | ("User_Name") OR ("Image_File_Name") | stats count by User_Name, Image_File_Name, host | sort count desc

0 Karma

Ayn
Legend

Show the exact search you're running, please.

Darksynergy
Explorer

I tried running the subsearch on its own with the "| format" as you suggested and got the following error.

Error in 'format' command: The ' ' arguments must be specified together or not at all.*

0 Karma

Darksynergy
Explorer

Ayn - I probably should have bolded out the search that I was trying to use so that it was a little more clear and stood out. The search that I started out with is mentioned above for you to review, in my original post. Thanks for taking the time to try and help me.

0 Karma

Ayn
Legend

What does your search look like? And if this problem occurs when you add your subsearch, run the subsearch on its own (without the brackets etc) and add "| format" at the end. This will show you the exact filter string that the subsearch will emit.

Darksynergy
Explorer

Thank you both for your suggestions. I tried both and now seem to be getting an "unbalanced quote" error.

0 Karma

Ayn
Legend

Better yet, don't use the where statement.

<yoursearch> NOT [|inputlookup ExclusionList.csv]

linu1988
Champion

Could you try this

your search query|where NOT [|inputcsv file.csv]

in file.csv contains User_Name,Image_File_Name list. Please give it a try.

Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...