Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Sequential automatic lookups not working...

responsys_cm
Builder
‎01-15-2018 08:04 PM

Here is my props.conf for the Qualys vulnerability data:

[qualys:hostDetection]
LOOKUP-2_qualys_nvd_lookup = nvd_db_lookup cve AS cve OUTPUT cvss_access_complexity AS cvss_access_complexity, cvss_access_vector AS cvss_access_vector, cvss_authentication AS cvss_authentication, cvss_availability_impact AS cvss_availability_impact, cvss_base AS cvss_base, cvss_confidentiality_impact AS cvss_confidentiality_impact, cvss_exploit AS cvss_exploit, cvss_integrity_impact AS cvss_integrity_impact, summary AS summary

LOOKUP-1_qualys_kb_lookup = qualys_kb_lookup QID as qid OUTPUT VULN_TYPE as vuln_type, PATCHABLE as patchable, PCI_FLAG as PCI_flag, TITLE as signature, CATEGORY as vuln_category, PUBLISHED_DATETIME as published_datetime, CVSS_BASE as cvss, CVSS_TEMPORAL as cvss_temporal, CVE as cve, VENDOR_REFERENCE as xref

The LOOKUP-1_qualys_kb_lookup comes straight from the Qualys TA.

The second one should take the cve ID returned from the first lookup and then grabs the associated CVSS metrics from another lookup table.

The lookup names in lexicographical order should have them working properly, but I never get the CVSS metrics. I've copied the lookup logic into the search pipeline and that works fine, so I know it isn't a problem with the lookup syntax.

Any ideas on why this isn't working?

Thx.

0 Karma
Reply

493669
Super Champion
‎01-15-2018 09:41 PM

Hi @responsys_cm
It seems to be permission issue.
so include Below Stanza in metadata>default.meta -

 [props/<sourcetype_name>/LOOKUP-<Automatic_Lookup_Name>]
 export = system

In your case it will be

[props/qualys:hostdetection/LOOKUP-nvd_db_lookup]
export = system
0 Karma
Reply

responsys_cm
Builder
‎11-09-2018 01:40 PM

I tried that and it didn't work. When I look at the permissions for the lookup table and the automatic lookup, they are all set to Global...

0 Karma
Reply

responsys_cm
Builder
‎01-15-2018 08:31 PM

I'm seeing this error message:

01-12-2018 18:11:30.440 +0000 ERROR LookupOperator - The lookup table 'nvd_db_lookup' does not exist. It is referenced by configuration 'qualys:hostdetection'.

The lookup table exists on disk. The data in it looks valid. The transforms.conf entry for that lookup is:

[nvd_db_lookup]
filename = nvd_db_lookup.csv
max_matches = 1

That's the file name. All these configs are in the same search app.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...