- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search to return events with an IP ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a search for my IDS / IPS systems feeding Splunk. I want to evaluate all the IDS/IPS events that have triggered and check any of the src_ip or dest_ip that originate from an embargoed country. I have a lookup table with one column called Country. I've tried a few different searches, but none have returned any results. I imagine there must be an eval statement I'm missing somewhere...not sure.
Search:
index=ids_ips [|inputlookup embargoed_countries.csv | fields Country] |dedup src_ip dest_ip|iplocation src_ip|fillnull value=No_Country_Defined Country|table src_ip dest_ip Country
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe this will help
index=ids_ips |dedup src_ip dest_ip |iplocation src_ip|search [|inputlookup embargoed_countries.csv | fields Country] |table src_ip dest_ip Country
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you map the country to a src_ip and/or dest_ip? Do the event sin index=ids_ips have Country field in them?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's kind of what I'm trying to accomplish. Run a search in the ids_ips index (i add the country with the "iplocation src_ip" command). Evaluate the Country from the search against the csv file looking for matches. Hope that makes sense.
Search returns:
src_ip Country
2.2.2.2 United States (don't show in the results)
5.5.5.5 Somalia (show in the results)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then try the answer by @sundareshr. Validate the lookup table name and the name of the country field (it should match with your search result).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe this will help
index=ids_ips |dedup src_ip dest_ip |iplocation src_ip|search [|inputlookup embargoed_countries.csv | fields Country] |table src_ip dest_ip Country
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure what happened but the search worked. Thank you for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately this search did not do the trick. It only returned 12 lines and all from the same country. I know I have more than a few embargoed_countries banging on the door.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Run this and find the count by countries. Then compare the results from above query if that is correct or not
index=ids_ips |dedup src_ip dest_ip |iplocation src_ip | stats count by Country
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
