Splunk Search
Highlighted

Lookup not returning results that are listed in the csv file

Explorer

I have a lookup based on a csv that is a list of IPs with one heading (src_ip) and my seach is built to notify on failed logins, but to exclude the lookup. So at then end of the search string i put
NOT [|inputlookup lookupname]
this seems to work and excludes most of the IPs in the list.
My question is It does not exclude ALL IPs on the list? Ive verifed that they are indeed in the lookup.csv file that i based it on, but it still does not exclude them.
If anyone has any ideas I would greatly appreciate it !! Thanks.

0 Karma
Highlighted

Re: Lookup not returning results that are listed in the csv file

Contributor

I would guess there might be differences in those ip addresses when compared to the ones from lookup table.... like maybe extra space/ special character (either in lookup or in source)?? More data will help. Can you put out a sample output and and search query being used.

View solution in original post

0 Karma
Highlighted

Re: Lookup not returning results that are listed in the csv file

Explorer

Search Striing:
index=xxx-xx* (Failedsu OR "invalid user" OR "illegal user" NOT "Element Check" NOT input* NOT Postponed NOT keyboard-interactive) NOT [|inputlookup linuxlookupname] | table time, host, srcip, user, vendoraction, linuxmessage | sort -_time

Here is a sample output (sorry about the terrible format)
time host srcip user vendoraction linuxmessage
Tue May 10.193.XXX.XXX vagrant Invalid user Invalid user vagrant from 10.193.XXX.XXX
Tue May 10.193.XXX.XXX vagrant Invalid user Invalid user vagrant from 10.193.XXX.XXX
Tue May 10.193.XXX.XXX admin Invalid user Invalid user admin from 10.193.XXX.XXX
Tue May 10.193.XXX.XXX pi Invalid user Invalid user pi from 10.193.XXX.XXX

The csv lookup table has the one feild (src_ip) and I have edited it on the server manually and removed/readded the IP in question but it still continues to show up

Thanks !

0 Karma
Highlighted

Re: Lookup not returning results that are listed in the csv file

Contributor

all seem ok... maybe the field name need to be explicitly stated. Did you try below?

index=xxx-xx* (Failed_su OR "invalid user" OR "illegal user" NOT "Element Check" NOT input_* NOT Postponed NOT keyboard-interactive) NOT [|inputlookup linuxlookupname|fields src_ip] | table _time, host, src_ip, user, vendor_action, linux_message | sort -_time
0 Karma
Highlighted

Re: Lookup not returning results that are listed in the csv file

Explorer

this last step seemed to get little more reliable results, looks like specifying the field helped. Thanks...

0 Karma
Highlighted

Re: Lookup not returning results that are listed in the csv file

Explorer

Search Striing:

index=xxx-xx* (Failedsu OR "invalid user" OR "illegal user" NOT "Element Check" NOT input* NOT Postponed NOT keyboard-interactive) NOT [|inputlookup linuxlookupname] | table time, host, srcip, user, vendoraction, linuxmessage | sort -_time

Here is a sample output (sorry about the terrible format)
time host srcip user vendoraction linuxmessage
Tue May 10.193.XXX.XXX vagrant Invalid user Invalid user vagrant from 10.193.XXX.XXX
Tue May 10.193.XXX.XXX vagrant Invalid user Invalid user vagrant from 10.193.XXX.XXX
Tue May 10.193.XXX.XXX admin Invalid user Invalid user admin from 10.193.XXX.XXX
Tue May 10.193.XXX.XXX pi Invalid user Invalid user pi from 10.193.XXX.XXX

The csv lookup table has the one feild (src_ip) and I have edited it on the server manually and removed/readded the IP in question but it still continues to show up

Thanks !

0 Karma