Lookup table matches and associated fields

Armyeric · ‎11-15-2013

I have a rather large lookup table of IP addresses and domain names. I keep adding to this list as we get advisories from various groups. The list has gotten so large that I forget what some of them were for, so I have begun to place (in comma delimited form) referring group (aka FBI, SANS, etc.) and what type of attack it is a part of (pony, struts2, etc.). My lookup table works fine, but how do I get the other two entries to be included when I get a hit on an address?

Here is what I have:
index="firewall" dst_ip OR scr_ip( [|inputlookup bad_actors.csv|rename host as query | fields query] ) NOT www.google.com

*the NOT www.google.com is my sanity checker I put in my tables to make sure things are working correctly.

Obviously the search is going to bring up any hits I may get and I can obviously put it into to a report, but I need to know how to get the second and third fields in there to make it useful.

Thanks for looking!

somesoni2 · ‎11-15-2013

Based on your search, I assume there is a field with name 'query' in your events.
Try following:

index="firewall"  dst_ip OR scr_ip  NOT www.google.com |lookup bad_actors.csv query OUTPUT referringGroup attackType | where isnotnull(referreingGroup)

richgalloway · ‎11-15-2013

Change 'fields query' to 'fields query referringGroup attackType'. The last two fields should match whatever is in the header of bad_actors.csv.

---
If this reply helps you, Karma would be appreciated.

Lookup table matches and associated fields

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!