Hey guys,
I am trying to keep my search code as neat as possible. I have a simple code that uses key words to help identify attackers, but the problem is I have a list of about 20-30 hosts that are known attackers/false warnings, and I do not want them in my search results. Rather than adding to my short code - NOT(host1 OR host2 OR host3 OR host4.....OR host25), I would prefer to store this list somewhere in the search.
Is there a cleaner and tidier way to do this without having to type the example I just gave?
Thanks for any response!
I would use a lookup to solve this problem. Create a CSV that contains a list of known attackers:
host_ip
192.168.17.1
192.168.17.7
etc. Upload the file and create a lookup based on it. I'll call it attacker_lookup for my example. Here is the info on how to create a lookup. In my example, I set a default value of "NotInList", so that is what will be returned when no match is found in the list.
Now there are a couple of ways to run your search, but this is my favorite because it will work well no matter how long your list becomes:
attack OR somethingElse
| lookup attacker_lookup host_ip as your_ip_field_name | where host_ip="NotInList"
As your list of known attackers / false warnings grows, just add to the CSV and upload it again to Splunk. The search always use the lastest CSV, so maintenance is easy.
Yes that's right. I guess when I wrote my original answer I forgot to include the "`" or they were lost in the formatting. Good catch.
Fantastic, thank you. I like both your idea and lguinn's. Good options. My question with this one is how does it distinguish the word "attack" from being a macro, or from being a phrase to search my event logs for. Like if I did "index=main union attackers", how does it know union is a phrase and attackers is a macro?
EDIT: Answered my question. Found through documentation - use the left quote to signal a macro. The left quote " ` ", isn't visible but I guess it is implied, thanks.
I would use a lookup to solve this problem. Create a CSV that contains a list of known attackers:
host_ip
192.168.17.1
192.168.17.7
etc. Upload the file and create a lookup based on it. I'll call it attacker_lookup for my example. Here is the info on how to create a lookup. In my example, I set a default value of "NotInList", so that is what will be returned when no match is found in the list.
Now there are a couple of ways to run your search, but this is my favorite because it will work well no matter how long your list becomes:
attack OR somethingElse
| lookup attacker_lookup host_ip as your_ip_field_name | where host_ip="NotInList"
As your list of known attackers / false warnings grows, just add to the CSV and upload it again to Splunk. The search always use the lastest CSV, so maintenance is easy.
Thank you. I have been having fun with my recent discovery of CSV files to do searches with. This was a good idea.
You could use a macro. Go to Manager > Advanced Search > Search macros > new
You can then define a macro named "attackers", with the definition being NOT(host1 OR host2 ... host25). Then in your searches you'd simply call the macro and have the string be replaced.
Example:
Macro: attack = NOT(host1 OR host2)
Search: index=main attack
End result: index=main NOT(host1 OR host2)
Hope this helps