![]() The workflow is slow and horrible and something I wish Splunk would improve. If you have an updated dataset, you’re probably going to be stuck deleting the original lookup table and then uploading the new one. For whatever reason, Splunk hasn’t provided a useful way to edit lookup tables once they’ve been uploaded. Standard lookup tables are great if you’re working with a static dataset that is unlikely to ever change. src_ip username first_name last_name title 1.1.1.1 John Doe Accountant Dynamic Lookup Tables This can be very powerful from a security operations perspective if you have tables containing employee information and their hardware assets. When performing the lookup, Splunk will join all the additional fields that are present in the lookup table to the search results keying off the field that you specify. ![]() Which would simply return the following results: src_ip username 1.1.1.1 then add context to it using the lookup command: index=nginx | table src_ip, username | lookup employee_lookup.csv employee_email as username We could then take a query that looks something like this (using our example log line): index = nginx | table src_ip, username To keep it simple, let’s say the newly uploaded lookup table consists of one row and looks like this: # employee_lookup.csv +-+-+-+-+ | first_name | last_name | title | employee_email | +-+-+-+-+ | John | Doe | Accountant | | +-+-+-+-+ Who is this employee? What is their job function? Etc.Īssuming I have the ability to export a database or table information about our employees to a CSV, I can upload that to Splunk as a lookup table. Let’s use this log line as an example: 1.1.1.1 - "POST /admin.php HTTP/1.1" 200 2 - "Mozilla/5.0 (Macintosh U Intel Mac OS X 10_6_4 en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.25 Safari/534.3"Īs a security engineer, I’ll want to be able to pull in as much context as possible about this event. Let’s say I have some nginx logs from a corporate webserver and those logs contain the email address for each employee who is accessing it. It operates in a somewhat similar way to a MySQL JOIN function and allows you to pull additional external information into your search results. One amazing feature that Splunk offers is the ability to use lookup tables to add context or additional information to a search. Keep your Splunk lookup tables in sync with a remote data source
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |