https://community.splunk.com/t5/Splunk-Search/Match-all-possible-matches-to-lookuplist/m-p/501880#M140553 <P>index=proxy domain=*<BR /> | rename domain as emotet_domain <BR /> | where <BR /> [| inputlookup test<BR /> | fields emotet_domain] <BR /> | stats values(emotet_domain) as emotetDomain</P> <P>so inside the lookup list i want to be able to match for example a threat of -- reason.com OR <A href="http://www.reason.com" target="_blank">www.reason.com</A></P> <P>i added the matchtype option of WILDCARD(emotet_domain) AND I have also tried WILDCARD(domain) I am not sure whihc one will help wildcard it, but as of right now it is NOT working.</P> Wed, 30 Sep 2020 04:44:16 GMT rtalcik 2020-09-30T04:44:16Z https://community.splunk.com/t5/Splunk-Search/Match-all-possible-matches-to-lookuplist/m-p/501880#M140553 <P>index=proxy domain=*<BR /> | rename domain as emotet_domain <BR /> | where <BR /> [| inputlookup test<BR /> | fields emotet_domain] <BR /> | stats values(emotet_domain) as emotetDomain</P> <P>so inside the lookup list i want to be able to match for example a threat of -- reason.com OR <A href="http://www.reason.com" target="_blank">www.reason.com</A></P> <P>i added the matchtype option of WILDCARD(emotet_domain) AND I have also tried WILDCARD(domain) I am not sure whihc one will help wildcard it, but as of right now it is NOT working.</P> Wed, 30 Sep 2020 04:44:16 GMT https://community.splunk.com/t5/Splunk-Search/Match-all-possible-matches-to-lookuplist/m-p/501880#M140553 rtalcik 2020-09-30T04:44:16Z https://community.splunk.com/t5/Splunk-Search/Match-all-possible-matches-to-lookuplist/m-p/501881#M140554 <PRE><CODE>index=proxy domain=* [| inputlookup test | stats values(emotet_domain) as query |format] | lookup test emotet_domain as domain OUTPUT emotet_domain </CODE></PRE> Sat, 28 Mar 2020 01:30:39 GMT https://community.splunk.com/t5/Splunk-Search/Match-all-possible-matches-to-lookuplist/m-p/501881#M140554 to4kawa 2020-03-28T01:30:39Z https://community.splunk.com/t5/Splunk-Search/Match-all-possible-matches-to-lookuplist/m-p/501882#M140555 <P>Assuming that your lookup has domain values like <CODE>reason.com</CODE>, all you need to do is this and then it should work:</P> <PRE><CODE>inputlookup test | eval emotet_domain = "*." . emotet_domain | outputlookup test </CODE></PRE> <P>Then use it like this:</P> <PRE><CODE>index=proxy domain=* | lookup test emotet_domain AS domain OUTPUT emotet_domain AS MATCHED | where isnotnull(MATCHED) </CODE></PRE> Sun, 29 Mar 2020 22:39:08 GMT https://community.splunk.com/t5/Splunk-Search/Match-all-possible-matches-to-lookuplist/m-p/501882#M140555 woodcock 2020-03-29T22:39:08Z https://community.splunk.com/t5/Splunk-Search/Match-all-possible-matches-to-lookuplist/m-p/501883#M140556 <P>Thanks this would def help in the future, unfortunately what was below will help even better.</P> Mon, 30 Mar 2020 00:08:56 GMT https://community.splunk.com/t5/Splunk-Search/Match-all-possible-matches-to-lookuplist/m-p/501883#M140556 rtalcik 2020-03-30T00:08:56Z https://community.splunk.com/t5/Splunk-Search/Match-all-possible-matches-to-lookuplist/m-p/501884#M140557 <P>So, what this is doing is it is searching all the events that happened and that it matches. I need to match the latest event so it only triggers an alert.</P> <P>I also need to add more to it as well such as</P> <P>index=proxy domain=* OR index=network* src_ip=* dest_ip=*<BR /> [| inputlookup test<BR /> | stats values(emotet_domain) as query, values(emotet_ip) as IP<BR /> |format]<BR /> | lookup test emotet_domain as domain OUTPUT emotet_domain<BR /> | lookup test emotet_ip as dest_ip OUTPUT emotet_ip<BR /> | lookup test emotet_ip as src_ip OUTPUT emotet_ip</P> <P>will this work??</P> Wed, 30 Sep 2020 04:49:37 GMT https://community.splunk.com/t5/Splunk-Search/Match-all-possible-matches-to-lookuplist/m-p/501884#M140557 rtalcik 2020-09-30T04:49:37Z https://community.splunk.com/t5/Splunk-Search/Match-all-possible-matches-to-lookuplist/m-p/501885#M140558 <P>I see what you want.<BR /> Let's ask another question.<BR /> at the time, please provide Csv sample and setting.</P> Mon, 30 Mar 2020 09:24:55 GMT https://community.splunk.com/t5/Splunk-Search/Match-all-possible-matches-to-lookuplist/m-p/501885#M140558 to4kawa 2020-03-30T09:24:55Z