Splunk Search

Lookup not returning results that are listed in the csv file

masplunk
Explorer

I have a lookup based on a csv that is a list of IPs with one heading (src_ip) and my seach is built to notify on failed logins, but to exclude the lookup. So at then end of the search string i put
NOT [|inputlookup lookupname]
this seems to work and excludes most of the IPs in the list.
My question is It does not exclude ALL IPs on the list? Ive verifed that they are indeed in the lookup.csv file that i based it on, but it still does not exclude them.
If anyone has any ideas I would greatly appreciate it !! Thanks.

0 Karma
1 Solution

Yasaswy
Contributor

I would guess there might be differences in those ip addresses when compared to the ones from lookup table.... like maybe extra space/ special character (either in lookup or in source)?? More data will help. Can you put out a sample output and and search query being used.

View solution in original post

0 Karma

masplunk
Explorer

Search Striing:

index=xxx-xx* (Failed_su OR "invalid user" OR "illegal user" NOT "Element Check" NOT input_* NOT Postponed NOT keyboard-interactive) NOT [|inputlookup linuxlookupname] | table _time, host, src_ip, user, vendor_action, linux_message | sort -_time

Here is a sample output (sorry about the terrible format)
_time host src_ip user vendor_action linux_message
Tue May 10.193.XXX.XXX vagrant Invalid user Invalid user vagrant from 10.193.XXX.XXX
Tue May 10.193.XXX.XXX vagrant Invalid user Invalid user vagrant from 10.193.XXX.XXX
Tue May 10.193.XXX.XXX admin Invalid user Invalid user admin from 10.193.XXX.XXX
Tue May 10.193.XXX.XXX pi Invalid user Invalid user pi from 10.193.XXX.XXX

The csv lookup table has the one feild (src_ip) and I have edited it on the server manually and removed/readded the IP in question but it still continues to show up

Thanks !

0 Karma

Yasaswy
Contributor

I would guess there might be differences in those ip addresses when compared to the ones from lookup table.... like maybe extra space/ special character (either in lookup or in source)?? More data will help. Can you put out a sample output and and search query being used.

0 Karma

masplunk
Explorer

Search Striing:
index=xxx-xx* (Failed_su OR "invalid user" OR "illegal user" NOT "Element Check" NOT input_* NOT Postponed NOT keyboard-interactive) NOT [|inputlookup linuxlookupname] | table _time, host, src_ip, user, vendor_action, linux_message | sort -_time

Here is a sample output (sorry about the terrible format)
_time host src_ip user vendor_action linux_message
Tue May 10.193.XXX.XXX vagrant Invalid user Invalid user vagrant from 10.193.XXX.XXX
Tue May 10.193.XXX.XXX vagrant Invalid user Invalid user vagrant from 10.193.XXX.XXX
Tue May 10.193.XXX.XXX admin Invalid user Invalid user admin from 10.193.XXX.XXX
Tue May 10.193.XXX.XXX pi Invalid user Invalid user pi from 10.193.XXX.XXX

The csv lookup table has the one feild (src_ip) and I have edited it on the server manually and removed/readded the IP in question but it still continues to show up

Thanks !

0 Karma

Yasaswy
Contributor

all seem ok... maybe the field name need to be explicitly stated. Did you try below?

index=xxx-xx* (Failed_su OR "invalid user" OR "illegal user" NOT "Element Check" NOT input_* NOT Postponed NOT keyboard-interactive) NOT [|inputlookup linuxlookupname|fields src_ip] | table _time, host, src_ip, user, vendor_action, linux_message | sort -_time
0 Karma

masplunk
Explorer

this last step seemed to get little more reliable results, looks like specifying the field helped. Thanks...

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...