Re: Lookup table matches and associated fields

Armyeric · ‎11-15-2013

I have a rather large lookup table of IP addresses and domain names. I keep adding to this list as we get advisories from various groups. The list has gotten so large that I forget what some of them were for, so I have begun to place (in comma delimited form) referring group (aka FBI, SANS, etc.) and what type of attack it is a part of (pony, struts2, etc.). My lookup table works fine, but how do I get the other two entries to be included when I get a hit on an address?

Here is what I have:
index="firewall" dst_ip OR scr_ip( [|inputlookup bad_actors.csv|rename host as query | fields query] ) NOT www.google.com

*the NOT www.google.com is my sanity checker I put in my tables to make sure things are working correctly.

Obviously the search is going to bring up any hits I may get and I can obviously put it into to a report, but I need to know how to get the second and third fields in there to make it useful.

Thanks for looking!

somesoni2 · ‎11-15-2013

Based on your search, I assume there is a field with name 'query' in your events.
Try following:

index="firewall"  dst_ip OR scr_ip  NOT www.google.com |lookup bad_actors.csv query OUTPUT referringGroup attackType | where isnotnull(referreingGroup)

richgalloway · ‎11-15-2013

Change 'fields query' to 'fields query referringGroup attackType'. The last two fields should match whatever is in the header of bad_actors.csv.

---
If this reply helps you, Karma would be appreciated.

Lookup table matches and associated fields

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!