I'm trying to filter out my logs for all non campus/company IPs. I'd like to be able to do different searches for "allowed", "deny|denied", etc. to see what connections are being attempted/made.
I followed the directions here:
http://answers.splunk.com/answers/5916/using-cidr-in-a-lookup-table
and created a separate csv file currently containing 3 subnets (eg: 123.123.0.0/16) but am not quite able to get the results that I'm looking for. It appears to be working but is drastically filtering out many results when a simple search for "123.123.." returns thousands more.
Using the latest version of Splunk, what is a simple way, or the best practice, for entering in a handful of subnets and then returning results based on whatever other criteria I'm interested in. ("allow*", "deny|denied", ports)
I am a Splunk novice and have just installed the trial so my experience is quite limited.
Thanks
Well. In order to make any real sense of your logs, especially if you do any aggregation, you'll want/need to extract the relevant information as fields.
Lookups are based on fields, i.e. given that you have a field 'first_name
' with a value 'Bob' in an event, you can call for a lookup that returns the value of the 'last_name
' column, on the row where the 'first_name
' value is 'Bob'.
first_name last_name
Alice Appleby
Bob Bacon
Crane Caterpillar
The answer (as always) is Bacon.
NB, lookup files are comma separated. This is just for enchanced readability. You should probably read up on the tutorial section of the docs, which covers both fields and lookups.
Hope this helps,
K
Accept TCP 114.64.273.236:58543 123.123.10.10:389 out via en0
read_data: read failure for 4 bytes to client 67.35.57.38. Error = Operation timed out
67.31.59.38 (67.31.59.38) closed connection to service clssignage
I copied the logs from a problematic OSX (*nix) server to a test installation of Splunk on a different server. I don't have the IPs extracted. I haven't read up on how to do that, or the benefits.
Here are some sample events. IPs have been changed to random numbers:
Accepted publickey for root from 12.34.56.78 port 53394 ssh2
Failed none for invalid user carlos from 67.34.56.78 port 37228 ssh2
Packet send failed to 34.44.128.35(137) ERRNO=No route to host
IP 164.64.273.236 - - [26/Aug/2013:15:31:18 -0800] "Saved for Reconnect User: asmith" 1377489588 2822 0
thank you
What is your input data, i.e. what logs do you use. Please post a few sample events.
Do you have the IP's as extracted fields, or is this purely free-text searching?