cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
cthulhucalling
Engager
Member since: ‎06-11-2019
‎06-05-2020
Community Statistics
Posts 6
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎06-11-2019
Activity Feed
Topics I've Started
View All

Re: Using a lookup for search

by in Splunk Search
‎06-12-2019 08:33 AM
‎06-12-2019 08:33 AM
Adding WILDCARD(uri_path) to the lookup definition did the trick! Thank you! ... View more

Re: Using a lookup for search

by in Splunk Search
‎06-12-2019 07:42 AM
‎06-12-2019 07:42 AM
I don't have shell access to that particular search head, so I can't do that. ... View more

Re: Using a lookup for search

by in Splunk Search
‎06-12-2019 07:33 AM
‎06-12-2019 07:33 AM
The issue appears to be that I'm wildcarding the signatures. If I change /etc/passwd to just /etc/passwd, I do get the description when I do this: earliest=-1d index=web [| inputlookup web_attack_sigs.csv | fields uri_path] | lookup web_attack_sigs.csv uri_path OUTPUT description I'm guessing that because of the wildcards, it's not an exact match when the lookup occurs, so it's not a hit and the description isn't added. The issue is that I get only results where the request is exactly for /etc/passwd. ... View more

Re: Using a lookup for search

by in Splunk Search
‎06-12-2019 07:14 AM
‎06-12-2019 07:14 AM
The first query returns anything with "description" in the event. The second one I had tried yesterday. It returns relevant results but the description line is not being added to the events. ... View more

Re: Using a lookup for search

by in Splunk Search
‎06-12-2019 06:58 AM
‎06-12-2019 06:58 AM
I tried this query. Unfortunately, it returned 0 results. ... View more

Using a lookup for search

by in Splunk Search
‎06-11-2019 03:48 PM
‎06-11-2019 03:48 PM
I have a small CSV file with common attack signatures in them that I have uploaded as a lookup called web_attack_signatures.csv: uri_path, description */etc/passwd*, Passwd file access attempt *phpadmin*, PHPadmin access attempt Ignoring the fact that these signatures are inefficient, the idea is that the lookup feeds the search, looking for any attack signature matches matches in my web logs. The relevant field in my logs is also called uri_path. So far I have been able to pull relevant events using this query: earliest=-1d index=web [| inputlookup web_attack_sigs.csv | fields uri_path] But I cannot get get the description field to be added to the results. I've tried adding "description" to the fields command with 0 results, and tried piping the events to another lookup command but that didn't work either. Can anyone help? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma given to
View All