These days many companies started using Splunk for security monitoring and the only thing I can say is “it is worth it”.
Splunk can significantly reduce the work load, just imagine that you are operating more than 20 Security Solutions which generated tons of logs and you have to identify an attack and of course react in a prompt fashion. I can certainly recommend Splunk for such scenarios.
Of course everything comes at a cost and Splunk is definitely not a cheap product.
I am now using Splunk for past 3 years but still from time to time I need to google some stuff to fix my issues and many a times I had to spend a bit too much time even though the Splunk community is very strong. May be I was not looking into the right direction and perhaps I was too naive to understand what others were talking. Therefore with the medium of my blog, I will share some useful information for all the splunk users.
Creating a lookup:
There are use cases in Splunk where sometimes static information is required to search but is not available in Index. For these kinds of cases we create static Lookup. Splunk supports static CSV or the output of a python script as a lookup.
I will sight an example of a static CSV, once you have created a lookup you may use it in searches depending upon your use cases.
We will start with an example of a list of some IP list that you know are static and let's say different services in your organization are behind these IPs and you would like to see the results in a dashboard based upon the lookup IPs.
In order to start, go to settings and there you will see Lookups menu as shown below:
Now we need to upload our CSV therefore we go to the Lookup table files
Add lookup table that we just created, in case of destination app you can select any app if you have already installed many apps and you would like only a particular app to have access to this lookup.
Name as described by Splunk itself, in case of CSV file we should use .csv as an extension.
Once you upload the file, you need to create lookup definitions. Give any name to the definition and since we are using a CSV file in order to create a lookup therefore choose File-Based. Select destination app where you would like to use these definitions.
Once you are done creating Lookup definitions you will notice that it will automatically tell you the supported fields as below:
If you would like extract the fields from your lookup, go to the search and use following command to see the lookup file: | inputlookup name of the lookup or lookup definition
Here we have used
Lookup table: AAAA.csv
Lookup definition : testing_AA
And the result will be similar as shown here: