Splunk Search

Why are users unable to see the results of this search?

New Member

Base users are unable to get results of the search. As an Admin, I am able to view the data. Search is below. I can query inputlookup by itself without adding the first line and get results back.

(index=a) OR (index=b sourcetype=e rec_type=502) 
[| inputlookup indicator where (TYPE=sha256 OR TYPE=md5) and Status=Active 
| eval Caller_MD5=if(TYPE == "MD5", INDICATOR_VALUE, null) 
| eval sha256=if(TYPE == "SHA256", INDICATOR_VALUE, null) 
| eval file_hash=sha256 
| fields Caller_MD5, sha256, file_hash 
| fields - _raw 
| format mvsep="OR" "(" "" "OR" "" "OR" ")"] 
| eval INDICATOR_VALUE=mvappend(Caller_MD5, sha256, file_hash) 
| eval dst=mvzip(dest_ip, dest_port, ":") 
| lookup indicator INDICATOR_VALUE OUTPUTNEW COMMENT, SOURCE
| where match(COMMENT, ".")
| stats earliest(_time) as earliest, latest(_time) as latest, count, values(index) as index, values(src_ip) as src_ip, values(dst) as dst, values(dest_port) as dest_port, values(INDICATOR_VALUE) as INDICATOR_VALUE values(sourcetype) as sourcetype by COMMENT
| convert ctime(latest) ctime(earliest)
| table COMMENT earliest latest count index sourcetype src_ip dst INDICATOR_VALUE SOURCE
0 Karma

Builder

A new Splunk Firepower solution is now available if you are using Firepower version 6.x. You can download the new eStreamer eNcore for Splunk and the separately installable dashboard from the two links below:

eStreamer eNcore
https://splunkbase.splunk.com/app/3662/

eNcore Dashboard
https://splunkbase.splunk.com/app/3663/

It is free to use and well documented but if you would like to purchase a TAC Support service so that you can obtain installation and configuration assistance and troubleshooting you can order the software from Cisco (support obligatory with this purchase). The Product Identifier is: FP-SPLUNK-SW-K9.

Regardless of whether you take up the support option or not, updated versions will be made available to all free of charge and posted on Splunkbase as well as Cisco Downloads.

0 Karma

SplunkTrust
SplunkTrust

I've been through this code several times, and I can't figure out what you are doing in line 9. Since sha256 and file_hash have the same value, you are getting either one copy of the MD5 Indicator value or two copies of
the sha256 one. What's the function of that?

What is being passed to the lookup? If you just need one copy of whichever one is present, then you could use

| eval INDICATOR_VALUE=coalesce(Caller_MD5, sha256) 
0 Karma

SplunkTrust
SplunkTrust

Check if the base users have access to the indexes being used (endpoint_monitor and estreamer).

0 Karma

Motivator

Can you please check if the users who are not getting the result back have appropraite permission on these lookup table and lookup table definition.

You can check permissions on lu_cti_indicator of the by going into:
Settings » Lookups » Lookup definitions
Alternatively check also Settings » Lookups » Lookup table files

Check the scope of the app where users are trying to serach vs where lookup is uploaded.

New Member

The lookups already have permissions to lu_cti_indicator. I think it is a issue with sub search. If i seach lookup i am getting data back. Any idea what else to look for?

| inputlookup lu_cti_indicator where (TYPE=sha256 OR TYPE=md5) and Status=Active
| eval Caller_MD5=if(TYPE == "MD5", INDICATOR_VALUE, null)
| eval sha256=if(TYPE == "SHA256", INDICATOR_VALUE, null)
| eval file_hash=sha256
| fields Caller_MD5, sha256, file_hash
| fields - _raw
| format mvsep="OR" "(" "" "OR" "" "OR" ")"

0 Karma