I'm looking signatures in snort but I want to exclude some of the signature IDs by using inputlookup, but it doesn't seem to exclude them.
My search
index=security-snort sourcetype="snort" | search NOT [ | inputlookup SnortSigEx.csv ] | stats values(name) as name by signature | dedup signature
index=security-snort sourcetype="snort" | search NOT [ | inputlookup SnortSigEx.csv | fields signature | format] | stats values(name) as name by signature | dedup signature
Thanks for replying, but unfortunetely I'm still seeing the IDs in the search results...which are supposed to be excluded.
Does the lookup file need to be in a certain format (header names)? Permission are set to all apps and for admin and power users
Note: I'm an Admin
please provide CSV and search detail.
Search
index=security-snort sourcetype="snort" | search NOT [ | inputlookup SnortSigEx.csv | fields signature | format] | stats values(name) as name by signature | dedup signature
Hi @rgarcia,
I suppose that the field name of the signature ID is signature in both the security-snort index and lookup, in this case try, please, something like this:
index=security-snort sourcetype="snort" NOT [ | inputlookup SnortSigEx.csv | fields signature ]
| stats values(name) as name by signature
If instead tyhe field name s are different and you have ID in the security-snort index and fields1 in lookup, in this case try, please, try this:
index=security-snort sourcetype="snort" NOT [ | inputlookup SnortSigEx.csv | rename column1 AS ID | fields ID ]
| stats values(name) as name by ID
Ciao.
Giuseppe
Thanks for replying, but unfortunately neither worked as the search returned all the values ignoring the input lookup file to exclude the sig id.
Is there another way to exclude multiple values?
Hi @rgarcia,
could you share:
Then, could you check what's the field name of signature in security-snort index and lookup (field names are case sensitive)?
Ciao.
Giuseppe
Here is the field from the events
I already provided that info in my previous posts.
Hi @rgarcia,
Sorry I forgot it!
Anyway, the field name of signature in Lookup isn't signature but Column1, so you have to rename it in lookup or in the search.
if in the search, try this please:
index=security-snort sourcetype="snort" NOT [ | inputlookup SnortSigEx.csv | rename column1 AS signature | fields signature ]
| stats values(name) as name by signature
To use a lookup to exclude or include values in a search, the field names must be the same in both the main search and the lookup.
Ciao.
Giuseppe
Thank you, just had to use upper-case "c" and it worked.
Hi @rgarcia,
Good!
Please accept the answer fo the other people of the Community.
Ciao and next time!
Giuseppe
P.S.: Karma Points are appreciated 😉