I have a challenge in front of me that I can't figure out. I spent a few hours searching 'answers' and made some headway but I need some help on a sticking point...
The problem: We need to be able to quantify "new" hosts that are found on our network every 30 days. To do this I have connected Splunk with Tenable SecurityCenter (using the add-on) to feed Splunk all the data we need to solve this problem.
The solution: I have created two searches.
1) The first search creates the lookup file that contains the previously discovered IP addresses and hostnames (outputlookup append=t). The time range for this scan is -90d@d to -31d@d
2) The second search is where I have run into a problem. The second search should take the lookup table created in the first search, compare the fields containing the IP and hostname data and if it finds a match exclude it from the search results. The time range of this search is -30d@d to now. This should result in only "new" hosts or hosts found in the most recent scan.
The second search is:
index=foo sourcetype=bar | dedup ip dnsName | rename ip as IP dnsName as Hostname | lookup foobar ip OUTPUT ip | search NOT (ip or dnsName)
This gets me halfway there, but I really need to exclude both ip and dnsName. How do add a second "output" to the lookup command? If I simply put it directly after the first I get an error.
How's this?
index=foo sourcetype=bar NOT [|inputlookup foobar |table ip,dnsName]
| dedup ip dnsName
What error do you get when you try ... | lookup foobar ip OUTPUT ip dnsname | ...
?
When I did that...I didn't get an error.
I have however restructured the search:
' index=foo sourcetype=bar | dedup ip dnsName | lookup foobar ip dnsName OUTPUT ip dnsName | search NOT (ip OR dnsName) | table ip dnsName'
This appears to be working as I need it to, but I need to verify the output is correct (working on that).