I have run a search query in Splunk which return all the events contained "API call" initiated from some "IP_address" . I have one lookup attacker_ip.csv which contain blacklisted IP. I need to compare "IP_address" from search result to "attacker_ip" in attacker.csv. And print all the events for which "IP" matched.
Try this search query:
<query to get data from Splunk index> | search [| inputlookup attacker_ip.csv | rename attacker_ip AS IP_address].
This query gives you all events where IP address is blacklisted in csv file.
if you share the search and lookup headers, it would help. Also, in your lookup, always have atleast 2 columns, say, attacker_ip,status. The status can be whitelist (or valid etc..)
index=yoursearch IP_address=* | inputlookup attacker_ip.csv IP_address AS attacker_ip OUPUT status | where status=whitelist
The above will return matched results (IP matches between events and lookup)
I have lookup named attacker_ip.csv which is having more then two fields clientIpAddress,status etc. I need to match filed "IP_Address" from my search events to the field "ClientIpAddress" in csv and return table of those events for which IP got matched
My search is below-
index=prod* sourcetype=log4j API_Client:* | eval Impersonator_Uuid=if(isnotnull(impersonatorUuid),impersonatorUuid,"NA")
|inputlookup attacker_ip.csv clientIpAddress AS IP_Address
which is not working..
if you run the search
index=prod* sourcetype=log4j API_Client:* | eval Impersonator_Uuid=if(isnotnull(impersonatorUuid),impersonatorUuid,"NA") | fillnull value="N/A" "IP_Address" | stats count by "IP_Address" , are you seeing valid IPs? If so, then you can run index=prod* sourcetype=log4j API_Client:* "IP_Address"=* | eval Impersonator_Uuid=if(isnotnull(impersonatorUuid),impersonatorUuid,"NA") |inputlookup attacker_ip.csv ClientIpAddress AS "IP_Address" it should give you matched results.
Pls note that the field names are case sensitive and assume no space between IP and _?