I have a search for my IDS / IPS systems feeding Splunk. I want to evaluate all the IDS/IPS events that have triggered and check any of the src_ip or dest_ip that originate from an embargoed country. I have a lookup table with one column called Country. I've tried a few different searches, but none have returned any results. I imagine there must be an eval statement I'm missing somewhere...not sure.
Search:
index=ids_ips [|inputlookup embargoed_countries.csv | fields Country] |dedup src_ip dest_ip|iplocation src_ip|fillnull value=No_Country_Defined Country|table src_ip dest_ip Country
Maybe this will help
index=ids_ips |dedup src_ip dest_ip |iplocation src_ip|search [|inputlookup embargoed_countries.csv | fields Country] |table src_ip dest_ip Country
How do you map the country to a src_ip and/or dest_ip? Do the event sin index=ids_ips have Country field in them?
That's kind of what I'm trying to accomplish. Run a search in the ids_ips index (i add the country with the "iplocation src_ip" command). Evaluate the Country from the search against the csv file looking for matches. Hope that makes sense.
Search returns:
src_ip Country
2.2.2.2 United States (don't show in the results)
5.5.5.5 Somalia (show in the results)
Then try the answer by @sundareshr. Validate the lookup table name and the name of the country field (it should match with your search result).
Maybe this will help
index=ids_ips |dedup src_ip dest_ip |iplocation src_ip|search [|inputlookup embargoed_countries.csv | fields Country] |table src_ip dest_ip Country
Not sure what happened but the search worked. Thank you for your help.
Unfortunately this search did not do the trick. It only returned 12 lines and all from the same country. I know I have more than a few embargoed_countries banging on the door.
Run this and find the count by countries. Then compare the results from above query if that is correct or not
index=ids_ips |dedup src_ip dest_ip |iplocation src_ip | stats count by Country