How to use a lookup file as a whitelist?

alainrojas · ‎08-29-2016

I'm having problems to use a lookup file as a whitelist. Basically, I have a simple ip address list with CIDR mask appended like:

ip_address
10.20.25.36/20
10.54.22.85/32
192.168.25.14/20

So I uploaded it as PAN_DOS_exceptions.csv, then i defined a stanza in transforms.conf as:

 [PAN_DOS_exceptions]
 filename=PAN_DOS_exceptions.csv
 min_matches = 1
 default_match = NONE
 match_type = CIDR(ip_address)

Then I used https://my-splunk-server:8000/en-US/debug/refresh to reload the transforms.conf so when I execute the following search:

index="pan_logs" sourcetype=pan_threat log_subtype=flood | NOT [lookup PAN_DOS_exception ip_address AS src_ip]

It returns every entry without filtering the lookup table. The idea is to exclude from the result those ip addresses that are in the lookup table.

Thoughts?

alemarzu · ‎03-14-2017

Try something like this.

index="pan_logs" sourcetype=pan_threat log_subtype=flood  NOT [ | inputlookup PAN_DOS_exception.csv | rename ip_address AS src_ip | table src_ip | format]

Hope it helps.

sundareshr · ‎08-29-2016

Try this

index="pan_logs" sourcetype=pan_threat log_subtype=flood | lookup PAN_DOS_exception ip_address AS src_ip OUTPUT ip_address | where isnull(ip_address)

alainrojas · ‎08-30-2016

Didn't work...it still does not filter anything. It seems like it just ignores the lookup and bring out every event.

How to use a lookup file as a whitelist?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor