Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to load a Sysmon  log into Splunk as a lookup table, but how do I view it after that?

Blackdragon7
Observer
‎04-24-2023 05:49 PM

I can load a Sysmon  log into Splunk as a lookup table, but how do I view it after that? What code do I use to view the log in search?

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-25-2023 01:59 AM

Hi @Blackdragon7,

at first: did you already ingested sysmon logs or not?

if yes, you have only to understand if these logs are in a lookup or (more likely) in an index.

Using ths information, you can search in your logs (index or lookup):

index=your_sysmon_index

or

| inputlookup your_sysmon_lookup.csv

If instead you didn't still indexed sysmon, you have to use an Add on (I hint Splunk Add-On for Sysmon at https://splunkbase.splunk.com/app/5709 ) and follow the instruction to ingest sysmon data.

Then to search logs, you can create your own searches and dashboards or use an App from Splunkbase (https://splunkbase.splunk.com/apps?keyword=sysmon).

If you have problems in search creation, you can follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial).

Ciao.

Giuseppe

0 Karma
Reply

Blackdragon7
Observer
‎05-05-2023 07:02 PM

Screenshot 2023-05-06 8.59.50 AM.png

0 Karma
Reply

Blackdragon7
Observer
‎05-05-2023 06:44 PM

Hi Giuseppe

I uploaded the sysmon.json file into Splunk as a new lookup file. I tried your codes and neither one worked. 

Regards,

Idries

0 Karma
Reply

Blackdragon7
Observer
‎04-25-2023 04:31 PM

Hi gcusello,

Thanks for the information. Yes I had loaded them as lookup tables I just needed your code to view them from the search. I'll see if that works. It's sysmon.json log file. I need to view the logs to uncover some information to complete the advanced Splunk room on tryhackme. 

Regards,

Idries

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎05-05-2023 08:18 PM

Again, you cannot use JSON log as lookup, unless you have an external system to convert these JSON events to CSV (which is not trivial and is generally ill advised because there is no industry standard to do this).

Again, what is it you are really trying to achieve?  What fields in the JSON file interest you?  What do the values look like?  How do you plan to use these field names and values?  In the end, if some fields are useful as lookup, you can always ingest the file into an index, then use outputlookup to save them into lookup format.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-25-2023 11:37 PM

Hi @Blackdragon7,

as I said, check the choose of using a lookup: in my opinion it's better to have these logs in an index.

Because I suppose that you continously have them and you need history.

Let us know if you need more help.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎04-24-2023 10:50 PM

If by Sysmon you mean Windows Sysmon, I can't see how it can be useful as a lookup table.  Maybe you can describe what you are trying to achieve instead?

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...