Solved: How to combine lists of source and destination IPs...

ststephe · ‎05-09-2016

I have a list of source and destination IPs that I'm trying to concatenate into one unique list and check against a CSV file. I'm trying to make a list of all the unique source IPs (I don't need the count, but it'd be nice), add that to a list of unique destination IPs, then take all that and display only the IPs that match a CSV file I have. Does anyone have an idea of how to do that?

woodcock · ‎05-09-2016

Like this:

... | dedup myIPfield | table myIPfield | eval dataSource="events" | appendpipe [|inputcsv myIPfile.csv | table myIPfield | eval dataSource="CSV"] | stats values(*) AS * dc(dataSource) AS numSources BY myIPfield ...

Then you can finish out with:

For inner join:

| where numSources=2

For left join:

| where dataSource="events"

For right join:

| where dataSource="CSV"

For outer join:

| where numSources=1

View solution in original post

somesoni2 · ‎05-09-2016

What you're trying to do is definitely possible but it would be tough to give a solution without knowing your data (is source and dest ip present in same event, how is the CSV file stored in splunk;)...

woodcock · ‎05-09-2016

Like this:

... | dedup myIPfield | table myIPfield | eval dataSource="events" | appendpipe [|inputcsv myIPfile.csv | table myIPfield | eval dataSource="CSV"] | stats values(*) AS * dc(dataSource) AS numSources BY myIPfield ...

Then you can finish out with:

For inner join:

| where numSources=2

For left join:

| where dataSource="events"

For right join:

| where dataSource="CSV"

For outer join:

| where numSources=1

How to combine lists of source and destination IPs into one unique list to match against a CSV file?

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!