Skip to main content

Splunk - Adding a lookup

These days many companies started using Splunk for security monitoring and the only thing I can say is “it is worth it”.
Splunk can significantly reduce the work load, just imagine that you are operating more than 20 Security Solutions which generated tons of logs and you have to identify an attack and of course react in a prompt fashion. I can certainly recommend Splunk for such scenarios.
Of course everything comes at a cost and Splunk is definitely not a cheap product.
I am now using Splunk for past 3 years but still from time to time I need to google some stuff to fix my issues and many a times I had to spend a bit too much time even though the Splunk community is very strong. May be I was not looking into the right direction and perhaps I was too naive to understand what others were talking. Therefore with the medium of my blog, I will share some useful information for all the splunk users.
Creating a lookup:
There are use cases in Splunk where sometimes static information is required to search but is not available in Index. For these kinds of cases we create static Lookup. Splunk supports static CSV or the output of a python script as a lookup.
I will sight an example of a static CSV, once you have created a lookup you may use it in searches depending upon your use cases.
We will start with an example of a list of some IP list that you know are static and let's say different services in your organization are behind these IPs and you would like to see the results in a dashboard based upon the lookup IPs.

In order to start, go to settings and there you will see Lookups menu as shown below:
Now we need to upload our CSV therefore we go to the Lookup table files
Add lookup table that we just created, in case of destination app you can select any app if you have already installed many apps and you would like only a particular app to have access to this lookup.
Name as described by Splunk itself, in case of CSV file we should use .csv as an extension.
Once you upload the file, you need to create lookup definitions. Give any name to the definition and since we are using a CSV file in order to create a lookup therefore choose File-Based. Select destination app where you would like to use these definitions.
Once you are done creating Lookup definitions you will notice that it will automatically tell you the supported fields as below:
If you would like extract the fields from your lookup, go to the search and use following command to see the lookup file: | inputlookup name of the lookup or lookup definition
Here we have used
Lookup table: AAAA.csv
Lookup definition : testing_AA
And the result will be similar as shown here:


Popular posts from this blog

Splunk - Drop Down Management Dashboard for Attacks

Scenario: You might have many security devices as input resource and many of them have standard apps already designed for Splunk(Also available for free) but even then in some cases you would like to create your own Dashboards based on your own requirements especially when you would like to report to the management customers and so on. Here I will explain a Web Application Firewall as an input resource where we might have multiple services registered into WAF and in Splunk you would like to create a dashboard for management based on a drop down menu for different services.
To start with, we will use the same lookup that we have created in my previous blog. First you need to know what you would like to present in a dashboard. In my case, I am taking a simple scenario that I would like to present the number of attacks from a country that is happening to any particular service in a given period of time. It would also present some additional details like as follows: Time Source IP Country Act…

Cloud based WAF against cyber attacks?

Target :
Alexa Global Rank : 427 Rank in India : 31 I deal with Web Application Firewalls in my daily operations and I got to know some more in the market out of which everyone claims that they are the best. Every time we talk about web application firewalls, one basic question arises, can we completely mitigate all the web related risks onto a WAF? Another question that arises in my mind is, can small and medium size businesses afford to have an in-house WAF for all their applications, I think NOT as it requires some investment, continuous maintenance and continuous WAF operations, moreover awareness about the Security, which is mostly missed. These factors evolves a new business model  "Cloud Based WAF" Why Cloud based WAF? Easy to affordMitigate risks onto third partyEasy to maintainCompliance & Governance

Hmm......Sounds very promising with the money back guarantee, 10$ per month can be cheaper than a piz…