I'm brand new to Splunk and I've having difficulty getting a query to return the results I'm looking for. I've checked the knowledge base and I see references to using transforms.conf and props.conf, but I'm in an enterprise environment and don't have access to change those files.
I have a .csv lookup I've created that contains a column for CIDR ranges and a column to indicate whether the CIDR range should be whitelisted from search results. I'm trying run a query for any SMB that incoming from the internet. My query is listed below.
index=netfw sourcetype=cisco:asa dest_port=445 NOT Cisco_ASA_action=teardown NOT transport=icmp
| lookup smbwhitelist.csv dest_ip OUTPUTNEW iswhitelist as whitelist
| search NOT whitelist IN ("yes")
This returns all traffic including all the CIDR ranges I'm trying to whitelist and exclude from the search results. If I remove the NOT from the search, then I receive no results. However, if I manually paste in the CIDR ranges I get results, so I'm missing something.
Any pointers in the right direction would be greatly appreciated.
↧
