Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using a lookup for search

cthulhucalling
Engager
‎06-11-2019 03:48 PM

I have a small CSV file with common attack signatures in them that I have uploaded as a lookup called web_attack_signatures.csv:

uri_path, description
*/etc/passwd*, Passwd file access attempt
*phpadmin*, PHPadmin access attempt

Ignoring the fact that these signatures are inefficient, the idea is that the lookup feeds the search, looking for any attack signature matches matches in my web logs. The relevant field in my logs is also called uri_path. So far I have been able to pull relevant events using this query:

earliest=-1d index=web [| inputlookup web_attack_sigs.csv | fields uri_path]

But I cannot get get the description field to be added to the results. I've tried adding "description" to the fields command with 0 results, and tried piping the events to another lookup command but that didn't work either. Can anyone help?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎06-12-2019 07:05 AM

When adding the description to the output of the subsearch, it will also use that for filtering, which is not what you want. If I understand correctly, you want to filter the events for the signatures and then add the description to the results, right?

I think the following should work (might require some configuration change on your lookup, to enable wildcard matches):

earliest=-1d index=web 
| lookup web_attack_sigs.csv uri_path OUTPUT description
| search description=*

Possibly the search runs more quickly if you keep the subsearch to do the initial filtering:

earliest=-1d index=web [| inputlookup web_attack_sigs.csv | fields uri_path]
| lookup web_attack_sigs.csv uri_path OUTPUT description

View solution in original post

Reply
Solved! Jump to solution

jnudell_2
Builder
‎06-12-2019 12:31 PM

Hi @cthulhucalling ,

As some of the others have said, you can have wildcards in your lookups, but you have to specify it in the advanced settings in the web interface (UI). Here is an example of how you would do that:
alt text

Once you have the lookup configured, you can use the following search logic:

| lookup web_attack_sigs uri_path OUTPUT description

Here is what it looks like:
alt text

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎06-12-2019 07:05 AM

When adding the description to the output of the subsearch, it will also use that for filtering, which is not what you want. If I understand correctly, you want to filter the events for the signatures and then add the description to the results, right?

I think the following should work (might require some configuration change on your lookup, to enable wildcard matches):

earliest=-1d index=web 
| lookup web_attack_sigs.csv uri_path OUTPUT description
| search description=*

Possibly the search runs more quickly if you keep the subsearch to do the initial filtering:

earliest=-1d index=web [| inputlookup web_attack_sigs.csv | fields uri_path]
| lookup web_attack_sigs.csv uri_path OUTPUT description
Reply
Solved! Jump to solution

cthulhucalling
Engager
‎06-12-2019 07:33 AM

The issue appears to be that I'm wildcarding the signatures. If I change /etc/passwd to just /etc/passwd, I do get the description when I do this:

earliest=-1d index=web [| inputlookup web_attack_sigs.csv | fields uri_path]
| lookup web_attack_sigs.csv uri_path OUTPUT description

I'm guessing that because of the wildcards, it's not an exact match when the lookup occurs, so it's not a hit and the description isn't added. The issue is that I get only results where the request is exactly for /etc/passwd.

0 Karma
Reply
Solved! Jump to solution

cthulhucalling
Engager
‎06-12-2019 07:14 AM

The first query returns anything with "description" in the event. The second one I had tried yesterday. It returns relevant results but the description line is not being added to the events.

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎06-12-2019 07:38 AM

Did you configure your lookup to allow wildcard matches on the uri_path field? Otherwise the lookup command will not work as expected.

0 Karma
Reply
Solved! Jump to solution

cthulhucalling
Engager
‎06-12-2019 07:42 AM

I don't have shell access to that particular search head, so I can't do that.

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎06-12-2019 07:53 AM

You can configure that in the GUI in the advanced options of a lookup definition.

0 Karma
Reply
Solved! Jump to solution

cthulhucalling
Engager
‎06-12-2019 08:33 AM

Adding WILDCARD(uri_path) to the lookup definition did the trick! Thank you!

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎06-11-2019 05:55 PM

Hi cthulhucalling,

try this:

earliest=-1d index=web [| inputlookup web_attack_sigs.csv | format]

by using format you will get a list of 

( ( uri_path="*/etc/passwd*" AND description ="Passwd file access attempt" ) OR ( uri_path="*phpadmin*" AND description ="PHPadmin access attempt" ) )

That will be added to your base search. More details here https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format

Hope this helps ...

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

cthulhucalling
Engager
‎06-12-2019 06:58 AM

I tried this query. Unfortunately, it returned 0 results.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎06-12-2019 01:25 PM

Well, it also looks like I completely misunderstood your question 😉 Sorry for that.

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...