Splunk Search
Highlighted

Lookup Country Name

Engager

Hi All,

I'm new to Splunk and have taken the Splunk Search/Reporting and Knowledge Objects courses - however this wasn't really part of them. I'm trying to lookup a Country name to a list of blacklisted countries. As we don't have the country names in the logs by default I need to use the iplocation command. The list itself lists the country in a field called blacklistcountry and a y in the column blacklistcountry_match (to show it is blacklisted).

I have verified with the inputlookup command the file appears and is formatted as it should be.

I know that to actually have the country names present I need to do the iplocation command - so far I have the following which displays perfectly:

sourcetype="ASA" | iplocation prefix=srcip srcip | iplocation prefix=destip_ dest_ip

This causes the country names to show up as srcipCountry and destipCountry.

However, when I do lookups to the table for matches I just get errors. Using this (just for srcipCountry to start out with):

sourcetype="ASA" earliest=-2h | iplocation prefix=srcip srcip | lookup blacklistCountries blacklistcountry as srcipCountry OUTPUT blacklistcountrymatch as srcblacklistcountry_match

I've tried adding the .csv to the end of the file name within the lookup command as well as trying OUTPUTNEW.

I'd appreciate any advise on what I'm missing or even whether there is a better or more efficient way to go about this. Also, if anyone has suggestions on actually making this an auto-lookup. I assume the error has something to do with the country names not being in the logs by default and me having to call them in the same search, but I assumed that as I called them prior to the lookup it would have worked out.

Thanks!

Highlighted

Re: Lookup Country Name

Engager

Also this is 6.2 and everything is in my personal directory.

0 Karma
Highlighted

Re: Lookup Country Name

Legend

What is in your blacklisted countries CSV file? What errors are you seeing?

0 Karma
Highlighted

Re: Lookup Country Name

Esteemed Legend

What are the headers for your lookup CSV? According to your lookup here:

sourcetype="ASA" earliest=-2h | iplocation prefix=src_ip_ src_ip | lookup blacklistCountries blacklist_country as src_ip_Country OUTPUT blacklist_country_match as src_blacklist_country_match

The format for the command is:

lookup <lookup-table-name> <lookup-field1> AS <event-field1>, <lookup-field2> AS <event-field2> OUTPUT <lookup-destfield1> AS <event-destfield1>, <lookup-destfield2> AS <event-destfield2>

So according to this mapping, your file has this header:

src_ip_Country,blacklist_country_match

But I suspect that this is not the case in your file.

0 Karma