I have a search for my IDS / IPS systems feeding Splunk. I want to evaluate all the IDS/IPS events that have triggered and check any of the src_ip or dest_ip that originate from an embargoed country. I have a lookup table with one column called Country. I've tried a few different searches, but none have returned any results. I imagine there must be an eval statement I'm missing somewhere...not sure.
Search:
index=ids_ips [|inputlookup embargoed_countries.csv | fields Country] |dedup src_ip dest_ip|iplocation src_ip|fillnull value=No_Country_Defined Country|table src_ip dest_ip Country
↧