Splunk Search

Lookup table matches and associated fields

Path Finder

I have a rather large lookup table of IP addresses and domain names. I keep adding to this list as we get advisories from various groups. The list has gotten so large that I forget what some of them were for, so I have begun to place (in comma delimited form) referring group (aka FBI, SANS, etc.) and what type of attack it is a part of (pony, struts2, etc.). My lookup table works fine, but how do I get the other two entries to be included when I get a hit on an address?

Here is what I have:
index="firewall" dst_ip OR scr_ip( [|inputlookup bad_actors.csv|rename host as query | fields query] ) NOT www.google.com

*the NOT www.google.com is my sanity checker I put in my tables to make sure things are working correctly.

Obviously the search is going to bring up any hits I may get and I can obviously put it into to a report, but I need to know how to get the second and third fields in there to make it useful.

Thanks for looking!

Tags (1)
0 Karma

Revered Legend

Based on your search, I assume there is a field with name 'query' in your events.
Try following:

index="firewall"  dst_ip OR scr_ip  NOT www.google.com |lookup bad_actors.csv query OUTPUT referringGroup attackType | where isnotnull(referreingGroup)
0 Karma


Change 'fields query' to 'fields query referringGroup attackType'. The last two fields should match whatever is in the header of bad_actors.csv.

If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...