I'm having problems to use a lookup file as a whitelist. Basically, I have a simple ip address list with CIDR mask appended like:
ip_address
10.20.25.36/20
10.54.22.85/32
192.168.25.14/20
So I uploaded it as PAN_DOS_exceptions.csv, then i defined a stanza in transforms.conf as:
[PAN_DOS_exceptions]
filename=PAN_DOS_exceptions.csv
min_matches = 1
default_match = NONE
match_type = CIDR(ip_address)
Then I used https://my-splunk-server:8000/en-US/debug/refresh to reload the transforms.conf so when I execute the following search:
index="pan_logs" sourcetype=pan_threat log_subtype=flood | NOT [lookup PAN_DOS_exception ip_address AS src_ip]
It returns every entry without filtering the lookup table. The idea is to exclude from the result those ip addresses that are in the lookup table.
Thoughts?
Try something like this.
index="pan_logs" sourcetype=pan_threat log_subtype=flood NOT [ | inputlookup PAN_DOS_exception.csv | rename ip_address AS src_ip | table src_ip | format]
Hope it helps.
Try this
index="pan_logs" sourcetype=pan_threat log_subtype=flood | lookup PAN_DOS_exception ip_address AS src_ip OUTPUT ip_address | where isnull(ip_address)
Didn't work...it still does not filter anything. It seems like it just ignores the lookup and bring out every event.