Solved: Ways to store a list/conditionals in search settin...

ktrumpol · ‎06-24-2013

Hey guys,

I am trying to keep my search code as neat as possible. I have a simple code that uses key words to help identify attackers, but the problem is I have a list of about 20-30 hosts that are known attackers/false warnings, and I do not want them in my search results. Rather than adding to my short code - NOT(host1 OR host2 OR host3 OR host4.....OR host25), I would prefer to store this list somewhere in the search.

Is there a cleaner and tidier way to do this without having to type the example I just gave?

Thanks for any response!

lguinn2 · ‎06-24-2013

I would use a lookup to solve this problem. Create a CSV that contains a list of known attackers:

host_ip
192.168.17.1
192.168.17.7

etc. Upload the file and create a lookup based on it. I'll call it attacker_lookup for my example. Here is the info on how to create a lookup. In my example, I set a default value of "NotInList", so that is what will be returned when no match is found in the list.

Now there are a couple of ways to run your search, but this is my favorite because it will work well no matter how long your list becomes:

attack OR somethingElse 
| lookup attacker_lookup host_ip as your_ip_field_name | where host_ip="NotInList"

As your list of known attackers / false warnings grows, just add to the CSV and upload it again to Splunk. The search always use the lastest CSV, so maintenance is easy.

View solution in original post

aholzer · ‎06-24-2013

Yes that's right. I guess when I wrote my original answer I forgot to include the "`" or they were lost in the formatting. Good catch.

ktrumpol · ‎06-24-2013

Fantastic, thank you. I like both your idea and lguinn's. Good options. My question with this one is how does it distinguish the word "attack" from being a macro, or from being a phrase to search my event logs for. Like if I did "index=main union attackers", how does it know union is a phrase and attackers is a macro?

EDIT: Answered my question. Found through documentation - use the left quote to signal a macro. The left quote " ` ", isn't visible but I guess it is implied, thanks.

lguinn2 · ‎06-24-2013

I would use a lookup to solve this problem. Create a CSV that contains a list of known attackers:

host_ip
192.168.17.1
192.168.17.7

etc. Upload the file and create a lookup based on it. I'll call it attacker_lookup for my example. Here is the info on how to create a lookup. In my example, I set a default value of "NotInList", so that is what will be returned when no match is found in the list.

Now there are a couple of ways to run your search, but this is my favorite because it will work well no matter how long your list becomes:

attack OR somethingElse 
| lookup attacker_lookup host_ip as your_ip_field_name | where host_ip="NotInList"

As your list of known attackers / false warnings grows, just add to the CSV and upload it again to Splunk. The search always use the lastest CSV, so maintenance is easy.

ktrumpol · ‎06-24-2013

Thank you. I have been having fun with my recent discovery of CSV files to do searches with. This was a good idea.

aholzer · ‎06-24-2013

You could use a macro. Go to Manager > Advanced Search > Search macros > new

You can then define a macro named "attackers", with the definition being NOT(host1 OR host2 ... host25). Then in your searches you'd simply call the macro and have the string be replaced.

Example:
Macro: attack = NOT(host1 OR host2)
Search: index=main attack
End result: index=main NOT(host1 OR host2)

Hope this helps

Ways to store a list/conditionals in search settings?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk