Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

lookup table as a search criteria

wsw70
Communicator
‎08-06-2012 08:13 AM

Hello,

Still trying to find a way to manage false positives in a search, I am leaning more and more towards an external file which could be looked up as part of a search to modify (filter) the search results.

Do you know of examples where, within a splunk search string there is a call to a script to which two parameters are passed and this script returns a value (boolean or other) which then influences the results? Something like (I know that the syntax is incorrect, I just want to give an idea of what I want to achieve):

... | eval IsFalsePositive = script CheckFalsePositives(host,vulnID) | search IsFalsePositive=0

The script documentation mentions that one can run a script which outputs some data. How this could be adapted to my case (what I provided is just my idea of how to handle this kind of search filtering - there may be better ways than to assign a variable which is then checked for its value)?. I also saw the article about handling inputs which could be adequate but the example (iplocate) is far from obvious.

Maybe it would be possible to direcly implement this in a splunk search (without a script)? Ideally the file would have the following content

machine_name,vulnerability
host1,vuln1
host5,*
*,vuln32
...

which would cover all reasonable cases (line 1: ignore vuln1 for host1, line 2: ignore all vulnerabilities for host 5, line 3: ignore all hosts for vulnerability vuln32).

Thank you!

Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎08-06-2012 09:32 AM

I thing the pieces you need are:

  • An outputlookup to append to the search that detects the false positives and capture whatever identifying fields you need in a lookup table.
  • An inputlookup to "load" the elements stored in the lookup table as search terms in your main search...
  • ...using a carefully crafted subsearch to ensure that the fields that identify false positives obtained from the lookup are formatted as search terms that exclude the pertinent events. Pay special attention to the bits that explain how the results of a subsearch are formatted.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎08-06-2012 09:32 AM

I thing the pieces you need are:

  • An outputlookup to append to the search that detects the false positives and capture whatever identifying fields you need in a lookup table.
  • An inputlookup to "load" the elements stored in the lookup table as search terms in your main search...
  • ...using a carefully crafted subsearch to ensure that the fields that identify false positives obtained from the lookup are formatted as search terms that exclude the pertinent events. Pay special attention to the bits that explain how the results of a subsearch are formatted.
0 Karma
Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎08-06-2012 11:40 AM

If you don't need to (re-)generate the table based upon search results, then just go with inputlookup.

0 Karma
Reply
Solved! Jump to solution

wsw70
Communicator
‎08-06-2012 11:08 AM

This is an interesting idea (I am still trying to understand the details in the pages you linked to) but the false positives will not be generated through a search but manually in a table similar to the one in my question. This is why I was more looking at a scripted search which should also be more flexible (the fact something is a false positive or not could also depend, potentially, on external data like the location for instance)

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...