Splunk Search

Lookup table matches and associated fields

Armyeric
Path Finder

I have a rather large lookup table of IP addresses and domain names. I keep adding to this list as we get advisories from various groups. The list has gotten so large that I forget what some of them were for, so I have begun to place (in comma delimited form) referring group (aka FBI, SANS, etc.) and what type of attack it is a part of (pony, struts2, etc.). My lookup table works fine, but how do I get the other two entries to be included when I get a hit on an address?

Here is what I have:
index="firewall" dst_ip OR scr_ip( [|inputlookup bad_actors.csv|rename host as query | fields query] ) NOT www.google.com

*the NOT www.google.com is my sanity checker I put in my tables to make sure things are working correctly.

Obviously the search is going to bring up any hits I may get and I can obviously put it into to a report, but I need to know how to get the second and third fields in there to make it useful.

Thanks for looking!

Tags (1)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Based on your search, I assume there is a field with name 'query' in your events.
Try following:

index="firewall"  dst_ip OR scr_ip  NOT www.google.com |lookup bad_actors.csv query OUTPUT referringGroup attackType | where isnotnull(referreingGroup)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Change 'fields query' to 'fields query referringGroup attackType'. The last two fields should match whatever is in the header of bad_actors.csv.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...