×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
HansNL
Loves-to-Learn
Member since: ‎06-14-2022
‎06-16-2022
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎06-14-2022
View All

Re: How do I write a lookup after a lookup is sear...

by in Splunk Search
‎06-16-2022 03:09 AM
‎06-16-2022 03:09 AM
OK fixed the lookup command, apperantly the lookup table was corrupted during import. But still, this did not do the trick, the output is still empty. just to give some more input. Attacktoolsh.csv has a content of: "discovery_or_attack",filename,hash,platform attack,nmap,,linux attack,nc,,linux attack,tcpdump,,linux attack,putty,,windows the secondlookup.csv  file has: filename,computername,username nmap,pc001, putty,pc002,user1 the default search give an output of all so no problem there. but what i am lookin for it that primary search only show computers that are not in the secondlookup.csv list. so pc003 that runned putty should be displayed. ... View more

Re: How do I write a lookup after a lookup is sear...

by in Splunk Search
‎06-15-2022 04:42 AM
‎06-15-2022 04:42 AM
Hi, and thanks for the fast response. Sadly this does not work, i do get an " lookup command: could not construckt lookup. have tried diverent settings but keeps up comming with this error after the mvexpand command. any ideas   ... View more

How do I write a lookup after a lookup is search m...

by in Splunk Search
‎06-14-2022 02:32 PM
‎06-14-2022 02:32 PM
Hi, am working on a lookup in a lookup. i have the following search: index=* source="*WinEventLog:Security" EventCode=4688 [| inputlookup attacktoolsh.csv WHERE discovery_or_attack=attack | stats values(filename) as search | format] | transaction host maxpause=10m | where eventcount>=5 | fields - _raw closed_txn field_match_sum linecount |table ComputerName, New_Process_Name, Process_Command_Line, _time, eventcount This works fine, the lookup attactoolsh.csv has the tools, an i have a hit on a client. now i would like to intergrate a second lookup file in the search that looks a file with a computername/username in it, that if the search hits on attacktoolsh.csv it looks in the second file and if a computer/user is in that file the search should not produce a notable.  in short, computer A is running "nmap" this is allowed on computer A and Computer A is in the second file. Computer B is running "nmap" and is not allowed to run this, so produce a notable / warning. anybody an idea how to intergrate this toghter. Thanks. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎06-16-2022 10:02 AM