Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search query required to lookup a csv file

ajayrejin
Explorer
‎01-31-2019 04:47 AM

Hi,

I need to check if the source address from the firewall logs is in private ip address range. How would i check using inputlookup and join commands.
Below is the query i am using , however no results come up

index=firewall log_subtype=vulnerability severity=informational | join src [ inputlookup PRIVATE_IP.csv ] | stats count by src

Tags (1)
0 Karma
Reply

DMohn
Motivator
‎01-31-2019 05:52 AM

Hi,

You don't have to use a join here, which is a very "costly" command. A simple subsearch does the trick as well:

  index=firewall log_subtype=vulnerability severity=informational | search [inputlookup PRIVATE_IP.csv]

Given that the lookup table contains only one field named "src" - otherwise you will have to restrict the return from the subsearch and / or rename the field.

0 Karma
Reply

ajayrejin
Explorer
‎01-31-2019 09:20 PM

Hi,

Thank you for that query.
I am using the below query and results i see is only public IP addresses, however result should show only private IPs. Am i doin something wrong? Please do correct me

index=frewall log_subtype="vulnerability" severity="informational" | join type=left src_ip [ inputlookup PRIVATE_IP.csv ] | stats count by src_ip

0 Karma
Reply

DMohn
Motivator
‎02-01-2019 12:12 AM

You don't have to use the join command. Have you tried using the query I stated above? If you add the count command, you should get exactly the result you want.

 index=firewall log_subtype="vulnerability" severity="informational" | search [ inputlookup PRIVATE_IP.csv ] | stats count by src_ip
0 Karma
Reply

renjith_nair
Legend
‎01-31-2019 05:40 AM

@ajayrejin,

Try this and lets know if it works.

index=firewall log_subtype=vulnerability severity=informational |eval flag=0
|append [inputlookup PRIVATE_IP.csv |eval flag=1]
|stats count , max(flag) as flag  by src

If the count is > 1 and flag=1 then its a private IP which is part of your lookup file.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...