https://community.splunk.com/t5/Knowledge-Management/Comparing-logs-with-inputlookup-files/m-p/381217#M6179 <P>Hey all,</P> <P>I have a fairly simple question.</P> <P>I have a web proxy index that has a url field.</P> <P>I have a CSV that contains malicious TLD's (.ru, .cn).</P> <P>I'm trying to create the right query to match the CSV to this field in the web proxy index ?<BR /> So if traffic is seen for url=hackingsite.ru, that it gets compared to the CSV and sees that a .ru domain is bad (so it matches).</P> <P>index=webproxy [|inputlookup MalciousDNSTLD.csv | fields dns] | eval dns=url | table url</P> <P>But, I know I am missing something from the query, looking for some generous help.</P> <P>Thanks.</P> Fri, 17 May 2019 23:30:50 GMT harrysof 2019-05-17T23:30:50Z https://community.splunk.com/t5/Knowledge-Management/Comparing-logs-with-inputlookup-files/m-p/381217#M6179 <P>Hey all,</P> <P>I have a fairly simple question.</P> <P>I have a web proxy index that has a url field.</P> <P>I have a CSV that contains malicious TLD's (.ru, .cn).</P> <P>I'm trying to create the right query to match the CSV to this field in the web proxy index ?<BR /> So if traffic is seen for url=hackingsite.ru, that it gets compared to the CSV and sees that a .ru domain is bad (so it matches).</P> <P>index=webproxy [|inputlookup MalciousDNSTLD.csv | fields dns] | eval dns=url | table url</P> <P>But, I know I am missing something from the query, looking for some generous help.</P> <P>Thanks.</P> Fri, 17 May 2019 23:30:50 GMT https://community.splunk.com/t5/Knowledge-Management/Comparing-logs-with-inputlookup-files/m-p/381217#M6179 harrysof 2019-05-17T23:30:50Z https://community.splunk.com/t5/Knowledge-Management/Comparing-logs-with-inputlookup-files/m-p/381218#M6180 <P>Still many people try to use <CODE>| inputlookup</CODE> when it's not needed. What you rather want to use is <CODE>| lookup</CODE> which maps to your use case perfectly. Be sure to have a lookup definition because usually you don't call lookups by "lookup.csv" but by it's lookup definition name (stanza name). <BR /> Will be something like</P> <PRE><CODE> index=webproxy | lookup MalciousDNSTLD field1 AS field2 OUTPUT field2 as field2 | where isnull(field2) </CODE></PRE> <P>.. or <CODE>isnotnull()</CODE> depending what you want (is in the badurls list or isn't.<BR /> Look at the <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/lookup">docs</A> for a description of which field to use where. It's rather simple. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Skalli</P> Sat, 18 May 2019 13:23:36 GMT https://community.splunk.com/t5/Knowledge-Management/Comparing-logs-with-inputlookup-files/m-p/381218#M6180 skalliger 2019-05-18T13:23:36Z https://community.splunk.com/t5/Knowledge-Management/Comparing-logs-with-inputlookup-files/m-p/381219#M6181 <P>@harrysof depends on what is the value of <CODE>url</CODE> field in the webproxy index and what is the value of dns in the TLD csv file?</P> <P>Based on the description seems like TLD csv only has TLD info like .ru or .cn. What are you matching this against in the index?</P> Sat, 18 May 2019 13:58:17 GMT https://community.splunk.com/t5/Knowledge-Management/Comparing-logs-with-inputlookup-files/m-p/381219#M6181 niketn 2019-05-18T13:58:17Z https://community.splunk.com/t5/Knowledge-Management/Comparing-logs-with-inputlookup-files/m-p/381220#M6182 <P>Consider also making the lookup values wildcard match type.</P> Mon, 20 May 2019 17:51:39 GMT https://community.splunk.com/t5/Knowledge-Management/Comparing-logs-with-inputlookup-files/m-p/381220#M6182 starcher 2019-05-20T17:51:39Z https://community.splunk.com/t5/Knowledge-Management/Comparing-logs-with-inputlookup-files/m-p/381221#M6183 <P>First, install <CODE>URL toolbox</CODE>:<BR /> <A href="https://splunkbase.splunk.com/app/2734/">https://splunkbase.splunk.com/app/2734/</A></P> <P>Then do this:</P> <PRE><CODE>index=webproxy | lookup ut_parse_extended_lookup url | rex field=ut_domain "\.(&lt;tld&gt;[^\.]+)$" | lookup MalciousDNSTLD.csv dns AS tld OUTPUT dns AS malicious | where isnotnull(malicious) </CODE></PRE> Sat, 06 Jul 2019 18:40:40 GMT https://community.splunk.com/t5/Knowledge-Management/Comparing-logs-with-inputlookup-files/m-p/381221#M6183 woodcock 2019-07-06T18:40:40Z