- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Alert if src_ip or dest_ip exists in lookup table
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to create an alert that triggers when a src_ip OR dest_ip exists in a lookup table (e.g. threat_ip_list.csv). But I'm not sure how to create the search string for this. The fields I'm using in the threat_ip_list lookup table are as follows:
src_ip, dest_ip, threat_country, threat_name
(NOTE: The src_ip and dest_ip field values are duplicates of each other in the lookup table.)
If the src_ip OR dest_ip matches an IP address listed in the table, the alert should trigger and provide the threat_country and threat_name information. Any recommendations on how to do this are greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this
your search to get ip_address field which contains the ip | lookup threat_ip_list.csv src_ip as ip_address OUTPUT threat_country as threat_country1, threat_name as threat_name1 | lookup threat_ip_list.csv dest_ip as ip_address OUTPUT threat_country as threat_country2, threat_name as threat_name2 | where isnotnull(threat_country1) OR isnotnull(threat_country2) | eval threat_country=coalesce(threat_country1,threat_country2) | eval threat_name=coalesce(threat_name1,threat_name2)| table ip_address threat_country threat_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this
your search to get ip_address field which contains the ip | lookup threat_ip_list.csv src_ip as ip_address OUTPUT threat_country as threat_country1, threat_name as threat_name1 | lookup threat_ip_list.csv dest_ip as ip_address OUTPUT threat_country as threat_country2, threat_name as threat_name2 | where isnotnull(threat_country1) OR isnotnull(threat_country2) | eval threat_country=coalesce(threat_country1,threat_country2) | eval threat_name=coalesce(threat_name1,threat_name2)| table ip_address threat_country threat_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. I ran the search you provided. Had problems with the "lookup threat_ip_list.csv src_ip as ip_address" and "lookup threat_ip_list.csv dest_ip as ip_address" lines. But I worked around it by adding src_ip and dest_ip fields in the lookup table and giving them equivalent ip values and removing the "as ip_address" from the search string.
Everything else worked great!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index=somelogs [|inputlookup threat_ip_list.csv | table src_ip | rename src_ip AS search ]
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
