Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Lookup issues

hartfoml
Motivator
‎11-28-2011 01:01 PM

I have a table of bad IP's that I want to use in a search agnest my firewall logs

in the past I have done this low tech search

sourcetype="cisco_syslog" ("x.x.x.x" OR "y.y.y.y" OR z.z.z.z) # this sometimes takes a long time #

this search would find all the firewall logs that have any of the bad IP's. As the list became longer I wanted to use the list from SANS.org. I can automaticly generate the list OK, but how do I use the list in a search?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎11-28-2011 01:22 PM

Create a lookup file and put it for instance in an appropriate directory (for instance $SPLUNK_HOME/etc/system/lookups), then search for IP numbers found in it using a subsearch. Let's say you call the lookup sanslist.csv and use the field name "ip":

sourcetype="cisco_syslog" [| inputlookup sanslist.csv | rename ip AS query | fields query]

Some information on the reason for renaming the "ip" field to "query": a subsearch works much like backticks in many *NIX shells, in that it executes first of all and then returns its results to the outer search, which uses this output. Normally if you have a subsearch with "| fields foo" at the end, the subsearch will return something like this:

((foo="val1") OR (foo="val2") OR (foo="val3") ... OR foo="val42"))

query is a special field that causes the subsearch to return pure free-text searches rather than searching for values in a particular field. So if foo were to be renamed to query, the subsearch would instead return something like this:

("val1" OR "val2" OR "val3" ... OR "val42")

In your case you want to search for the IP numbers as free-text searches, so that's why the renaming is needed.

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎11-28-2011 01:22 PM

Create a lookup file and put it for instance in an appropriate directory (for instance $SPLUNK_HOME/etc/system/lookups), then search for IP numbers found in it using a subsearch. Let's say you call the lookup sanslist.csv and use the field name "ip":

sourcetype="cisco_syslog" [| inputlookup sanslist.csv | rename ip AS query | fields query]

Some information on the reason for renaming the "ip" field to "query": a subsearch works much like backticks in many *NIX shells, in that it executes first of all and then returns its results to the outer search, which uses this output. Normally if you have a subsearch with "| fields foo" at the end, the subsearch will return something like this:

((foo="val1") OR (foo="val2") OR (foo="val3") ... OR foo="val42"))

query is a special field that causes the subsearch to return pure free-text searches rather than searching for values in a particular field. So if foo were to be renamed to query, the subsearch would instead return something like this:

("val1" OR "val2" OR "val3" ... OR "val42")

In your case you want to search for the IP numbers as free-text searches, so that's why the renaming is needed.

Reply
Solved! Jump to solution

Ayn
Legend
‎11-29-2011 07:55 AM

If you are passing values to outputlookup you are feeding it with some field value as well. Have a look at this question: http://splunk-base.splunk.com/answers/5521/specify-fields-for-outputlookup-or-outputcsv

Or check yourself in the resulting .csv file. The fieldname is in the headers on the first line of the CSV file.

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎11-29-2011 07:22 AM

I think I'm missing something "the field name"

The sanslist.csv is only a list of IP's there is no field name in the one column table. Who do I get the field name in the table or lookup.

I am doing a rex piped to a table command to get the IP from a scripted downloaded file and then pipe the table to "outputlookup sanslist.csv" How do I get the field name into this?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...