Skip to main content

Splunk - Adding a lookup



These days many companies started using Splunk for security monitoring and the only thing I can say is “it is worth it”.
 
Splunk can significantly reduce the work load, just imagine that you are operating more than 20 Security Solutions which generated tons of logs and you have to identify an attack and of course react in a prompt fashion. I can certainly recommend Splunk for such scenarios.
Of course everything comes at a cost and Splunk is definitely not a cheap product.
 
I am now using Splunk for past 3 years but still from time to time I need to google some stuff to fix my issues and many a times I had to spend a bit too much time even though the Splunk community is very strong. May be I was not looking into the right direction and perhaps I was too naive to understand what others were talking. Therefore with the medium of my blog, I will share some useful information for all the splunk users.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Creating a lookup:
There are use cases in Splunk where sometimes static information is required to search but is not available in Index. For these kinds of cases we create static Lookup. Splunk supports static CSV or the output of a python script as a lookup.
I will sight an example of a static CSV, once you have created a lookup you may use it in searches depending upon your use cases.
We will start with an example of a list of some IP list that you know are static and let's say different services in your organization are behind these IPs and you would like to see the results in a dashboard based upon the lookup IPs.

In order to start, go to settings and there you will see Lookups menu as shown below:
Now we need to upload our CSV therefore we go to the Lookup table files
Add lookup table that we just created, in case of destination app you can select any app if you have already installed many apps and you would like only a particular app to have access to this lookup.
Name as described by Splunk itself, in case of CSV file we should use .csv as an extension.
Once you upload the file, you need to create lookup definitions. Give any name to the definition and since we are using a CSV file in order to create a lookup therefore choose File-Based. Select destination app where you would like to use these definitions.
Once you are done creating Lookup definitions you will notice that it will automatically tell you the supported fields as below:
If you would like extract the fields from your lookup, go to the search and use following command to see the lookup file: | inputlookup name of the lookup or lookup definition
Here we have used
Lookup table: AAAA.csv
Lookup definition : testing_AA
And the result will be similar as shown here:



Labels:

Comments

Post a Comment

Popular posts from this blog

Cloud based WAF sucks more than you thought - Privacy?

In my  previous  post, I have described a basic diagram of WAF into any network. Now imagine if we just place WAF into a cloud and for an easy explanation,instead of reinventing the wheel, I will refer to the Sucuri’s  diagram  here   It is clearly stated in this diagram that Sucuri's network will protect your website against hackers who may perform injection attacks like XSS, SQL Injection, Command injection etc. Now in real life to an end user, it is quite complicated to figure out whether there is a WAF in place or not and actually why an end user would be interested. His/Her only concern would be that their personal information should be properly taken care off while they’re visiting a website. But as an end customer how would you make sure that the information that you are providing will be taken care of and without your consent, it won’t be shared with any third party. Well it is quite a complex question, especially for the people who have nothing to do...
Post a Comment
Read more

Cloud based WAF against cyber attacks?

Target  :  www.bhaskar.com Alexa Global Rank  : 427 Rank in India  : 31 I deal with Web Application Firewalls in my daily operations and I got to know some more in the market out of which everyone claims that they are the best. Every time we talk about web application firewalls, one basic question arises, can we completely mitigate all the web related risks onto a WAF? Another question that arises in my mind is, can small and medium size businesses afford to have an in-house WAF for all their applications, I think NOT as it requires some investment, continuous maintenance and continuous WAF operations, moreover awareness about the Security, which is mostly missed. These factors evolves a new business model  "Cloud Based WAF" Why Cloud based WAF? Easy to afford Mitigate risks onto third party Easy to maintain Compliance & Governance Source:  https://sucuri.net/website-firewall/signup   Hmm......Sounds very promising with the ...
Post a Comment
Read more