- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I edit my search to compare a list of IPs f...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm still new to Splunk and trying to figure out the correct syntax for lookups.
My goal is to compare a list of known IPs associated with a botnet and see if there is any traffic to/from the IPs in the firewall logs.
index=firewall_logs sourcetype=cisco:asa [ | inputlookup bad_ips.csv | fields IP ]
This returns nothing. What else am I missing? Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi CYBR_AH,
run the search using return instead fields :
index=firewall_logs sourcetype=cisco:asa | [ | inputlookup bad_ips.csv | return 999 IP ]
This will return the results from the lookup file as this string:
(IP="1.1.1.1") OR (IP="2.2.2.2") ....
which will be used in the base search, so the search be in the end:
index=firewall_logs sourcetype=cisco:asa (IP="1.1.1.1") OR (IP="2.2.2.2") ....
Read the docs on return to learn more details http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Return
Hope this helps ...
cheers, MuS
Update:
Sorry the first one was wrong! Try this instead:
| inputlookup bad_ips.csv | search [ search index=firewall_logs sourcetype=cisco:asa | dedup IP | fields IP ]
Hope this makes more sense ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
where do ve upload .csv file in splunk which contains list of IPs?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi CYBR_AH,
run the search using return instead fields :
index=firewall_logs sourcetype=cisco:asa | [ | inputlookup bad_ips.csv | return 999 IP ]
This will return the results from the lookup file as this string:
(IP="1.1.1.1") OR (IP="2.2.2.2") ....
which will be used in the base search, so the search be in the end:
index=firewall_logs sourcetype=cisco:asa (IP="1.1.1.1") OR (IP="2.2.2.2") ....
Read the docs on return to learn more details http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Return
Hope this helps ...
cheers, MuS
Update:
Sorry the first one was wrong! Try this instead:
| inputlookup bad_ips.csv | search [ search index=firewall_logs sourcetype=cisco:asa | dedup IP | fields IP ]
Hope this makes more sense ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
update ping...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried
index=firewall_logs sourcetype=cisco:asa | [ | inputlookup bad_ips.csv | return 999 $IP] | stats count by dest_ip
and it worked. This gave me a really good starting point. Thanks for your help! 🙂
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
