Splunk Search

Sequential automatic lookups not working...

responsys_cm
Builder

Here is my props.conf for the Qualys vulnerability data:

[qualys:hostDetection]
LOOKUP-2_qualys_nvd_lookup = nvd_db_lookup cve AS cve OUTPUT cvss_access_complexity AS cvss_access_complexity, cvss_access_vector AS cvss_access_vector, cvss_authentication AS cvss_authentication, cvss_availability_impact AS cvss_availability_impact, cvss_base AS cvss_base, cvss_confidentiality_impact AS cvss_confidentiality_impact, cvss_exploit AS cvss_exploit, cvss_integrity_impact AS cvss_integrity_impact, summary AS summary

LOOKUP-1_qualys_kb_lookup = qualys_kb_lookup QID as qid OUTPUT VULN_TYPE as vuln_type, PATCHABLE as patchable, PCI_FLAG as PCI_flag, TITLE as signature, CATEGORY as vuln_category, PUBLISHED_DATETIME as published_datetime, CVSS_BASE as cvss, CVSS_TEMPORAL as cvss_temporal, CVE as cve, VENDOR_REFERENCE as xref

The LOOKUP-1_qualys_kb_lookup comes straight from the Qualys TA.

The second one should take the cve ID returned from the first lookup and then grabs the associated CVSS metrics from another lookup table.

The lookup names in lexicographical order should have them working properly, but I never get the CVSS metrics. I've copied the lookup logic into the search pipeline and that works fine, so I know it isn't a problem with the lookup syntax.

Any ideas on why this isn't working?

Thx.

0 Karma

493669
Super Champion

Hi @responsys_cm
It seems to be permission issue.
so include Below Stanza in metadata>default.meta -

 [props/<sourcetype_name>/LOOKUP-<Automatic_Lookup_Name>]
 export = system

In your case it will be

[props/qualys:hostdetection/LOOKUP-nvd_db_lookup]
export = system
0 Karma

responsys_cm
Builder

I tried that and it didn't work. When I look at the permissions for the lookup table and the automatic lookup, they are all set to Global...

0 Karma

responsys_cm
Builder

I'm seeing this error message:

01-12-2018 18:11:30.440 +0000 ERROR LookupOperator - The lookup table 'nvd_db_lookup' does not exist. It is referenced by configuration 'qualys:hostdetection'.

The lookup table exists on disk. The data in it looks valid. The transforms.conf entry for that lookup is:

[nvd_db_lookup]
filename = nvd_db_lookup.csv
max_matches = 1

That's the file name. All these configs are in the same search app.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...