I currently have a lookup table that contains 2 columns: date and ioc. The goal is to have Splunk go through the lookup table and match any IPs or domains it finds on the ioc column. However, I would like Splunk to disregard ioc's have been on the lookup table for 90 days or more. Any help would be great. Below is what I have so far not much 😕
index=* sourcetype=* [| inputlookup ioc.csv | fields + ioc]|
If you just want to do a text search of IP from the lookup into your index, try something like this (assuming your data format of lookup table is %Y-%m-%d
)
index=* sourcetype=* [| inputlookup ioc.csv | where strptime(date,"%y-%m-%d")>relative_time(now()-"-90d")| eval search=ioc | table search ]
If you just want to a field matching (like value of src_ip) of the IP from lookup table, try something like this
index=* sourcetype=* [| inputlookup ioc.csv | where strptime(date,"%y-%m-%d")>relative_time(now()-"-90d")| eval src_ip=ioc | table src_ip ]
Thanks for the response.
I am gettting the following:
"Error in 'where' command:Typechecking failed. "-" only takes numbers."
The data in the lookup is %Y-%m-%d
To your search string add this after removing the last pipe
The <90days> should be in the format of how your date is in your CSV.
jensonthottian,
The query keeps failing I get the following error message "Error in inputlookup command:Invalid argument: 'date>'.
Below is what I tried:
index=* sourcetype=* [| inputlookup ioc2.csv | fields + ioc] NOT [|inputlookup ioc2.csv date> "08/19/2015" fields +ioc]