Skip to main content

Splunk - Adding a lookup

These days many companies started using Splunk for security monitoring and the only thing I can say is “it is worth it”.
Splunk can significantly reduce the work load, just imagine that you are operating more than 20 Security Solutions which generated tons of logs and you have to identify an attack and of course react in a prompt fashion. I can certainly recommend Splunk for such scenarios.
Of course everything comes at a cost and Splunk is definitely not a cheap product.
I am now using Splunk for past 3 years but still from time to time I need to google some stuff to fix my issues and many a times I had to spend a bit too much time even though the Splunk community is very strong. May be I was not looking into the right direction and perhaps I was too naive to understand what others were talking. Therefore with the medium of my blog, I will share some useful information for all the splunk users.
Creating a lookup:
There are use cases in Splunk where sometimes static information is required to search but is not available in Index. For these kinds of cases we create static Lookup. Splunk supports static CSV or the output of a python script as a lookup.
I will sight an example of a static CSV, once you have created a lookup you may use it in searches depending upon your use cases.
We will start with an example of a list of some IP list that you know are static and let's say different services in your organization are behind these IPs and you would like to see the results in a dashboard based upon the lookup IPs.

In order to start, go to settings and there you will see Lookups menu as shown below:
Now we need to upload our CSV therefore we go to the Lookup table files
Add lookup table that we just created, in case of destination app you can select any app if you have already installed many apps and you would like only a particular app to have access to this lookup.
Name as described by Splunk itself, in case of CSV file we should use .csv as an extension.
Once you upload the file, you need to create lookup definitions. Give any name to the definition and since we are using a CSV file in order to create a lookup therefore choose File-Based. Select destination app where you would like to use these definitions.
Once you are done creating Lookup definitions you will notice that it will automatically tell you the supported fields as below:
If you would like extract the fields from your lookup, go to the search and use following command to see the lookup file: | inputlookup name of the lookup or lookup definition
Here we have used
Lookup table: AAAA.csv
Lookup definition : testing_AA
And the result will be similar as shown here:


Popular posts from this blog

Splunk - Drop Down Management Dashboard for Attacks

Scenario: You might have many security devices as input resource and many of them have standard apps already designed for Splunk(Also available for free) but even then in some cases you would like to create your own Dashboards based on your own requirements especially when you would like to report to the management customers and so on. Here I will explain a Web Application Firewall as an input resource where we might have multiple services registered into WAF and in Splunk you would like to create a dashboard for management based on a drop down menu for different services.
To start with, we will use the same lookup that we have created in my previous blog. First you need to know what you would like to present in a dashboard. In my case, I am taking a simple scenario that I would like to present the number of attacks from a country that is happening to any particular service in a given period of time. It would also present some additional details like as follows: Time Source IP Country Act…


DOM When  a web page is loaded, browser creates a Document Object Model. It is a platform and language-neutral interface that allows scripts to dynamically access and update the content, structure, and style of a document.
DOM-Based XSS : It is a Cross-Site-Scripting attack wherein the attack payload is executed as a result of modifying DOM environment in the victim’s browser used by itself. The important thing to consider here that the HTTP response does not change but the client side code in the page behaves differently because of the malicious code injected by the attacker. Note: DOM XSS can be executed in Chrome, therefore if you would like to repeat the steps mentioned below, it is recommended to use chrome browser. Firefox has an inbuilt protection against DOM-Based XSS therefore DOM attacks might not work in Firefox. Few Findings in Wild Target : Global Rank : 81 Rank in US: 55 If you open and go to their privacy policy, you might notice th…

Why not a GDPR for India?

Why not a GDPR for India?
After the recent scandal from Cambridge Analytica, millions of people are concerned over the privacy of their data and so are the Indians. India, one of the biggest markets of Facebook is most exciting market for such companies to test their concepts on artificial intelligence and machine learning. Cheap internet, wide adoption of smartphones and a huge young population totally unaware of the consequences of using the unsafe internet has set the internet product companies to exploit high-value Intel and data generated from India in a much easier way. I will start today with where does India stand in the world of “world wide web or internet” usage. Below are some figures on the number of internet user in millions globally.

Number of Internet users in millions
As the data shows, India stands second in terms of the number of Internet users and it’s increasing at a very rapid rate. Though I must mention that at the moment, India has one of the lowest internet penetr…