Wednesday, July 11, 2012

Splunk – Using Lookup Files


Splunk – Using Look-up Files

Below steps is on how to configure and use look up files within splunk. 
  • Step 1: Add a lookup csv file in Lookup table files



  • Step 2: Map the lookup table file to the lookup definitions


  • Step 3: Verify whether the lookup works in the Search Head
|inputlookup ip_webattackerlist
                







  • Step 4: Here the ip field contains ip range rather than ip, so separate the ip range into ip’s and verify its displays as intended
|inputlookup ip_webattackerlist | rex field=ip "(?<ipnew>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
OR   |inputlookup ip_webattackerlist | rex field=ip "(?<ipnew>[^-]+)"

  • Step 5: Search the logs for presence of malicious src_ip being present in the logs
Index=* [|inputlookup ip_webattackerlist | rex field=ip "(?<src_ip>[^-]+)" | dedup src_ip | fields src_ip]
  • Step 6: Chart the output into a dashboard
index=* [|inputlookup ip_webattackerlist | rex field=ip "(?<src>[^-]+)" | dedup src | fields src] | lookup ip_webattackerlist ip AS src output description | stats count by src descriptionOR
index=* [|inputlookup ip_webattackerlist | rex field=ip "(?<src_ip>[^-]+)" | dedup src_ip | fields src_ip] | lookup ip_webattackerlist ip AS src_ip output description | stats count by description
OR
index=* [|inputlookup ip_webattackerlist | rex field=ip "(?<src_ip>[^-]+)" | dedup src_ip | fields src_ip] | lookup ip_webattackerlist ip AS src_ip output description | stats count by src_ip
  • Step 7: To add new src_ip to the list
| stats count | rename count as ip | eval ip="69.28.58.28,202.177.218.43,49.183.211.42,50.17.211.194,122.150.35.248" | makemv delim="," ip | mvexpand ip | eval description="known_attacker" | inputlookup append=t ip_webattackerlist | outputlookup ip_webattackerlist