![]() ![]() host=Paloalto dest_port=25 OR dest_port=587 | stats count by src_ip dest_ip | lookup SMTP_IP_DNS. Using lookup command for later reference. | stats count by dest_ip | lookup dnslookup clientip AS dest_ip OUTPUT clienthost AS dest_host | outputlookup SMTP_IP_DNS.csv We then use fields to ensure there is only a single field (UserList) in the data. host=Paloalto dest_port=25 OR dest_port=587 indexsomeindex hosthostp 'STATICSEARCHSTRING' inputlookup users.csv fields UserList rename UserList as query What is happening here is that there is a sub-search, which does an inputlookup on the users.csv file. ![]() csv in a lookup table, you can create an output lookup once to retrieve it, almost instantaneously, as many times as you need it with an inputlookup. csv file, or even creating an output lookup every time you need the. You can also save the above output as an CSV file using outputlookup command, and then used as lookup resources later. The Inputlookup command is used to retrieve data from a Splunk lookup. | stats count by dest_ip | lookup dnslookup clientip AS dest_ip OUTPUT clienthost AS dest_host host=Paloalto dest_port=25 OR dest_port=587 If it does not then youll need a rename command in the subsearch. If you want to lookup a dest_ip whose DNS is, you can use dnslookup lookup definition which is built-in in splunk. First, make sure the suricata:dns sourcetype has a field called 'destip'. Splunk has lookup command to lookup a CSV file, then to output as new field. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |