×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
carldipace
New Member
Member since: ‎04-04-2019
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-04-2019
Activity Feed
View All

Re: Match IP from main search to an IP in lookup f...

by in Splunk Search
‎05-09-2019 07:50 AM
‎05-09-2019 07:50 AM
Try this index=fda_sec_suricata sourcetype=suricata (src_ip!=10.X.X.X/X AND src_ip!=172.X.X.X/X AND src_ip!=192.X.X.X/X) (host="10.X.X.X" OR host="10.X.X.X" OR host="10.X.X.X" OR host="10.X.X.X" OR host="10.X.X.X" OR host="10.X.X.X") [| inputlookup YourLookup.csv | table host_ip | rename host_ip as dest_ip ] | eval CVE_listed=if(isnotnull(reference_cve) OR like(signature,"%CVE"),1,0) | rex field=signature "CVE-(?\d+-\d+)" | eval reference_cve="CVE-".reference_cve | search (CVE_listed=1) | dedup reference_cve, src_ip, src_port, dest_ip, dest_port | table category, signature, severity, reference_cve, reference_url, src_ip, src_port, dest_dns, dest_nt_host, dest_ip, dest_port, _time ... View more

Re: Format CVE using Regex

by in Splunk Search
‎04-04-2019 07:45 AM
‎04-04-2019 07:45 AM
Thank you! That worked. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM