Splunk Search

Why are exclusions using lookup failing?

rgarcia
Engager

I'm looking signatures in snort but I want to exclude some of the signature IDs by using inputlookup, but it doesn't seem to exclude them.

My search

index=security-snort sourcetype="snort" | search NOT [ | inputlookup SnortSigEx.csv ] | stats values(name) as name by signature | dedup signature

 

Labels (1)
Tags (1)
0 Karma

to4kawa
Ultra Champion

index=security-snort sourcetype="snort" | search NOT [ | inputlookup SnortSigEx.csv | fields signature | format] | stats values(name) as name by signature | dedup signature

0 Karma

rgarcia
Engager

Thanks for replying, but unfortunetely I'm still seeing the IDs in the search results...which are supposed to be excluded. 

Does the lookup file need to be in a certain format (header names)? Permission are set to all apps and for admin and power users

Note: I'm an Admin

0 Karma

to4kawa
Ultra Champion

please provide CSV and search detail.

0 Karma

rgarcia
Engager

Search 

 

index=security-snort sourcetype="snort" | search NOT [ | inputlookup SnortSigEx.csv | fields signature | format] | stats values(name) as name by signature | dedup signature

 

snort.PNG

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rgarcia,

I suppose that the field name of the signature ID is signature in both the security-snort index and  lookup, in this case try, please, something like this:

index=security-snort sourcetype="snort" NOT [ | inputlookup SnortSigEx.csv | fields signature ] 
| stats values(name) as name by signature

If instead tyhe field name s are different and you have  ID in the security-snort index and fields1 in lookup, in this case try, please, try this:

index=security-snort sourcetype="snort" NOT [ | inputlookup SnortSigEx.csv | rename column1 AS ID | fields ID ] 
| stats values(name) as name by ID

Ciao.

Giuseppe

0 Karma

rgarcia
Engager

Thanks for replying, but unfortunately neither worked as the search returned all the values ignoring the input lookup file to exclude the sig id.

Is there another way to exclude multiple values? snort2.PNG 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rgarcia,

could you share:

  • a sample of your logs where there's the "53590" signature? (You can take it in the events tab),
  • the lookup column names,
  • the "53590" value in lookup.

Then, could you check what's the field name of signature in security-snort index and lookup (field names are case sensitive)?

Ciao.

Giuseppe

0 Karma

rgarcia
Engager

Here is the field from the eventssnort3.PNG

0 Karma

rgarcia
Engager

I already provided that info in my previous posts.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rgarcia,

Sorry I forgot it!

Anyway, the field name of signature in Lookup isn't signature but Column1, so you have to rename it in lookup or in the search.

if in the search, try this please:

index=security-snort sourcetype="snort" NOT [ | inputlookup SnortSigEx.csv | rename column1 AS signature | fields signature ] 
| stats values(name) as name by signature

To use a lookup to exclude or include values in a search, the field names must be the same in both the main search and the lookup.

 Ciao.

Giuseppe

0 Karma

rgarcia
Engager

Thank you, just had to use upper-case "c" and it worked.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rgarcia,

Good!

Please accept the answer fo the other people of the Community.

Ciao and next time!

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...