- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Search query required to lookup a csv file
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search query required to lookup a csv file
Hi,
I need to check if the source address from the firewall logs is in private ip address range. How would i check using inputlookup and join commands.
Below is the query i am using , however no results come up
index=firewall log_subtype=vulnerability severity=informational | join src [ inputlookup PRIVATE_IP.csv ] | stats count by src
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You don't have to use a join here, which is a very "costly" command. A simple subsearch does the trick as well:
index=firewall log_subtype=vulnerability severity=informational | search [inputlookup PRIVATE_IP.csv]
Given that the lookup table contains only one field named "src" - otherwise you will have to restrict the return from the subsearch and / or rename the field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thank you for that query.
I am using the below query and results i see is only public IP addresses, however result should show only private IPs. Am i doin something wrong? Please do correct me
index=frewall log_subtype="vulnerability" severity="informational" | join type=left src_ip [ inputlookup PRIVATE_IP.csv ] | stats count by src_ip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You don't have to use the join command. Have you tried using the query I stated above? If you add the count command, you should get exactly the result you want.
index=firewall log_subtype="vulnerability" severity="informational" | search [ inputlookup PRIVATE_IP.csv ] | stats count by src_ip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ajayrejin,
Try this and lets know if it works.
index=firewall log_subtype=vulnerability severity=informational |eval flag=0
|append [inputlookup PRIVATE_IP.csv |eval flag=1]
|stats count , max(flag) as flag by src
If the count is > 1 and flag=1 then its a private IP which is part of your lookup file.
What goes around comes around. If it helps, hit it with Karma 🙂
Detecting Remote Code Executions With the Splunk Threat Research Team
Enter the Splunk Community Dashboard Challenge for Your Chance to Win!
.conf24 | Session Scheduler is Live!!
