Quantcast
Channel: Questions in topic: "splunk-enterprise"
Viewing all articles
Browse latest Browse all 47296

Using lookup table for whitelisting CIDR ranges in SPL and getting zero results

$
0
0
I'm brand new to Splunk and I've having difficulty getting a query to return the results I'm looking for. I've checked the knowledge base and I see references to using transforms.conf and props.conf, but I'm in an enterprise environment and don't have access to change those files. I have a .csv lookup I've created that contains a column for CIDR ranges and a column to indicate whether the CIDR range should be whitelisted from search results. I'm trying run a query for any SMB that incoming from the internet. My query is listed below. index=netfw sourcetype=cisco:asa dest_port=445 NOT Cisco_ASA_action=teardown NOT transport=icmp | lookup smbwhitelist.csv dest_ip OUTPUTNEW iswhitelist as whitelist | search NOT whitelist IN ("yes") This returns all traffic including all the CIDR ranges I'm trying to whitelist and exclude from the search results. If I remove the NOT from the search, then I receive no results. However, if I manually paste in the CIDR ranges I get results, so I'm missing something. Any pointers in the right direction would be greatly appreciated.

Viewing all articles
Browse latest Browse all 47296

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>