Solved: Lookup not returning results that are listed in th...

masplunk · ‎05-05-2015

I have a lookup based on a csv that is a list of IPs with one heading (src_ip) and my seach is built to notify on failed logins, but to exclude the lookup. So at then end of the search string i put
NOT [|inputlookup lookupname]
this seems to work and excludes most of the IPs in the list.
My question is It does not exclude ALL IPs on the list? Ive verifed that they are indeed in the lookup.csv file that i based it on, but it still does not exclude them.
If anyone has any ideas I would greatly appreciate it !! Thanks.

Yasaswy · ‎05-05-2015

I would guess there might be differences in those ip addresses when compared to the ones from lookup table.... like maybe extra space/ special character (either in lookup or in source)?? More data will help. Can you put out a sample output and and search query being used.

View solution in original post

masplunk · ‎05-05-2015

Search Striing:

index=xxx-xx* (Failed_su OR "invalid user" OR "illegal user" NOT "Element Check" NOT input_* NOT Postponed NOT keyboard-interactive) NOT [|inputlookup linuxlookupname] | table _time, host, src_ip, user, vendor_action, linux_message | sort -_time

Here is a sample output (sorry about the terrible format)
_time host src_ip user vendor_action linux_message
Tue May 10.193.XXX.XXX vagrant Invalid user Invalid user vagrant from 10.193.XXX.XXX
Tue May 10.193.XXX.XXX vagrant Invalid user Invalid user vagrant from 10.193.XXX.XXX
Tue May 10.193.XXX.XXX admin Invalid user Invalid user admin from 10.193.XXX.XXX
Tue May 10.193.XXX.XXX pi Invalid user Invalid user pi from 10.193.XXX.XXX

The csv lookup table has the one feild (src_ip) and I have edited it on the server manually and removed/readded the IP in question but it still continues to show up

Thanks !

Yasaswy · ‎05-05-2015

I would guess there might be differences in those ip addresses when compared to the ones from lookup table.... like maybe extra space/ special character (either in lookup or in source)?? More data will help. Can you put out a sample output and and search query being used.

masplunk · ‎05-05-2015

Search Striing:
index=xxx-xx* (Failed_su OR "invalid user" OR "illegal user" NOT "Element Check" NOT input_* NOT Postponed NOT keyboard-interactive) NOT [|inputlookup linuxlookupname] | table _time, host, src_ip, user, vendor_action, linux_message | sort -_time

Here is a sample output (sorry about the terrible format)
_time host src_ip user vendor_action linux_message
Tue May 10.193.XXX.XXX vagrant Invalid user Invalid user vagrant from 10.193.XXX.XXX
Tue May 10.193.XXX.XXX vagrant Invalid user Invalid user vagrant from 10.193.XXX.XXX
Tue May 10.193.XXX.XXX admin Invalid user Invalid user admin from 10.193.XXX.XXX
Tue May 10.193.XXX.XXX pi Invalid user Invalid user pi from 10.193.XXX.XXX

The csv lookup table has the one feild (src_ip) and I have edited it on the server manually and removed/readded the IP in question but it still continues to show up

Thanks !

Yasaswy · ‎05-05-2015

all seem ok... maybe the field name need to be explicitly stated. Did you try below?

index=xxx-xx* (Failed_su OR "invalid user" OR "illegal user" NOT "Element Check" NOT input_* NOT Postponed NOT keyboard-interactive) NOT [|inputlookup linuxlookupname|fields src_ip] | table _time, host, src_ip, user, vendor_action, linux_message | sort -_time

masplunk · ‎06-18-2015

this last step seemed to get little more reliable results, looks like specifying the field helped. Thanks...

Lookup not returning results that are listed in the csv file

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk