- Splunk Answers
- :
- Using Splunk
- :
- Splunk Dev
- :
- filter out events from lookuptable
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
filter out events from lookuptable
Hi,
I have the correlation rule-Substantial Increase In Events enabled but I just want to fine tune this rule based on our environment.
I dont want this rule to fire when there is a match in the signature that is defined in the lookuptable "substantialincreasesignature.csv".
But as soon as I run this it is throwing an error,can you check out this for me.
| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature| search IDS_Attacks.signature!=* [inputlookup substantialincreasesignature.csv]
| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature as signatures AND NOT[|inputlookup substantialincreasesignature|fields signature]
Both search I tried but no results:(
Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature
| search NOT [|inputlookup substantialincreasesignature|fields signature]
Update
It could be the field names returned by the data model doesn't match the field name in lookup. Replace the inputlookup query with this in above
| inputlookup substantialincreasesignature | table signature | rename signature with ExactFieldNameFromDataModelResult]
To get the ExactFieldNameFromDataModelResult, run your base search and check the name of signature field.
| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2,
your query is working fine,but it is showing data that is present in the lookuptable 'substantialincreasesignature'.I dont want to see the data that I have specified in the lookup table.
| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature
| search NOT [|inputlookup substantialincreasesignature|fields signature]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See the updated section of the answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You say it's throwing an error - what error?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature
| search NOT [|inputlookup substantialincreasesignature|fields IDS_Attacks.signature]
is showing results that is in lookuptable.
How to get the events that is not in the lookuptable?
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
