Splunk Search

Lookup Country Name

Engager

Hi All,

I'm new to Splunk and have taken the Splunk Search/Reporting and Knowledge Objects courses - however this wasn't really part of them. I'm trying to lookup a Country name to a list of blacklisted countries. As we don't have the country names in the logs by default I need to use the iplocation command. The list itself lists the country in a field called blacklist_country and a y in the column blacklist_country_match (to show it is blacklisted).

I have verified with the inputlookup command the file appears and is formatted as it should be.

I know that to actually have the country names present I need to do the iplocation command - so far I have the following which displays perfectly:

sourcetype="ASA" | iplocation prefix=src_ip_ src_ip | iplocation prefix=dest_ip_ dest_ip

This causes the country names to show up as src_ip_Country and dest_ip_Country.

However, when I do lookups to the table for matches I just get errors. Using this (just for src_ip_Country to start out with):

sourcetype="ASA" earliest=-2h | iplocation prefix=src_ip_ src_ip | lookup blacklistCountries blacklist_country as src_ip_Country OUTPUT blacklist_country_match as src_blacklist_country_match

I've tried adding the .csv to the end of the file name within the lookup command as well as trying OUTPUTNEW.

I'd appreciate any advise on what I'm missing or even whether there is a better or more efficient way to go about this. Also, if anyone has suggestions on actually making this an auto-lookup. I assume the error has something to do with the country names not being in the logs by default and me having to call them in the same search, but I assumed that as I called them prior to the lookup it would have worked out.

Thanks!

Esteemed Legend

What are the headers for your lookup CSV? According to your lookup here:

sourcetype="ASA" earliest=-2h | iplocation prefix=src_ip_ src_ip | lookup blacklistCountries blacklist_country as src_ip_Country OUTPUT blacklist_country_match as src_blacklist_country_match

The format for the command is:

lookup <lookup-table-name> <lookup-field1> AS <event-field1>, <lookup-field2> AS <event-field2> OUTPUT <lookup-destfield1> AS <event-destfield1>, <lookup-destfield2> AS <event-destfield2>

So according to this mapping, your file has this header:

src_ip_Country,blacklist_country_match

But I suspect that this is not the case in your file.

0 Karma

Legend

What is in your blacklisted countries CSV file? What errors are you seeing?

0 Karma

Engager

Also this is 6.2 and everything is in my personal directory.

0 Karma