https://community.splunk.com/t5/Splunk-Search/IOC-Inputlookup/m-p/489965#M194104 <P>Hi Hars,</P> <P>unfortunately it didn't work, no events showed.</P> <P>Would you please advice?</P> Fri, 01 May 2020 16:42:47 GMT zayedaljaberi 2020-05-01T16:42:47Z https://community.splunk.com/t5/Splunk-Search/IOC-Inputlookup/m-p/489963#M194102 <P>Hi ,</P> <P>my goal is to detect if there is any matches with my custom Domain_IOC.csv list and display additional column for the note.</P> <P>Domain_IOC.csv list includes <STRONG>two columns</STRONG><BR /> Domain and ioc_note (example picture attached of lookup table)<IMG src="https://community.splunk.com/storage/temp/291637-splunk-ioc-example.png" alt="alt text" /></P> <P>I want the output to be if there was matches with domain is to include the ioc_note column as well.</P> <P>Current Query I have (Which provides me the matches with domain but doesn't include ioc_note column)</P> <PRE><CODE>index=dns sourcetype="dnslog" [|inputlookup Domain_IOC.csv |fields Domain] | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") | stats values(Domain) as IOC by Date,host,Account,IP,Action </CODE></PRE> <P>For your kind support.</P> Wed, 30 Sep 2020 05:16:50 GMT https://community.splunk.com/t5/Splunk-Search/IOC-Inputlookup/m-p/489963#M194102 zayedaljaberi 2020-09-30T05:16:50Z https://community.splunk.com/t5/Splunk-Search/IOC-Inputlookup/m-p/489964#M194103 <P>Hi,</P> <P>Please try below seaarch</P> <PRE><CODE>index=dns sourcetype="dnslog" | stats values(Domain) as Domain by _time,host,Account,IP,Action | lookup Domain_IOC.csv Domain as Domain OUTPUT ioc_note | where isnotnull(ioc_note) | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") | fields - _time </CODE></PRE> Fri, 01 May 2020 12:05:29 GMT https://community.splunk.com/t5/Splunk-Search/IOC-Inputlookup/m-p/489964#M194103 harsmarvania57 2020-05-01T12:05:29Z https://community.splunk.com/t5/Splunk-Search/IOC-Inputlookup/m-p/489965#M194104 <P>Hi Hars,</P> <P>unfortunately it didn't work, no events showed.</P> <P>Would you please advice?</P> Fri, 01 May 2020 16:42:47 GMT https://community.splunk.com/t5/Splunk-Search/IOC-Inputlookup/m-p/489965#M194104 zayedaljaberi 2020-05-01T16:42:47Z https://community.splunk.com/t5/Splunk-Search/IOC-Inputlookup/m-p/489966#M194105 <P>If you run below query, are you getting any result ?</P> <PRE><CODE>index=dns sourcetype="dnslog" | stats values(Domain) as Domain by _time,host,Account,IP,Action </CODE></PRE> Mon, 04 May 2020 08:32:32 GMT https://community.splunk.com/t5/Splunk-Search/IOC-Inputlookup/m-p/489966#M194105 harsmarvania57 2020-05-04T08:32:32Z https://community.splunk.com/t5/Splunk-Search/IOC-Inputlookup/m-p/489967#M194106 <P>Hi,</P> <P>No results based on your query</P> <P>to verify that i'm receiving the events in the screenshot below<BR /> <IMG src="https://i.ibb.co/p001GnR/sample-dns.png" alt="alt text" /></P> Tue, 05 May 2020 13:24:14 GMT https://community.splunk.com/t5/Splunk-Search/IOC-Inputlookup/m-p/489967#M194106 zayedaljaberi 2020-05-05T13:24:14Z https://community.splunk.com/t5/Splunk-Search/IOC-Inputlookup/m-p/489968#M194107 <P>Try below query</P> <PRE><CODE>index=dns sourcetype="dnslog" | stats count by _time,Domain,host,Action | lookup Domain_IOC.csv Domain as Domain OUTPUT ioc_note | where isnotnull(ioc_note) | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") | fields - _time </CODE></PRE> Tue, 05 May 2020 14:05:19 GMT https://community.splunk.com/t5/Splunk-Search/IOC-Inputlookup/m-p/489968#M194107 harsmarvania57 2020-05-05T14:05:19Z https://community.splunk.com/t5/Splunk-Search/IOC-Inputlookup/m-p/489969#M194108 <PRE><CODE> index=dns sourcetype="dnslog" [|inputlookup Domain_IOC.csv | fields Domain] | stats count by _time, Domain, Action, Category | inputlookup append=t Domain_IOC.csv | eval Domain=trim(Domain,".") | eval Domain=trim(Domain,"*") | sefljoin Domain | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") | fields - _time </CODE></PRE> <P>Hi folks<BR /> <EM>Domain</EM> in search has extra <CODE>.(dot)</CODE> and <EM>Domain</EM> in lookup has extra <CODE>*(astarisk)</CODE>.<BR /> These can't match by <CODE>lookup</CODE>.</P> Tue, 05 May 2020 16:10:55 GMT https://community.splunk.com/t5/Splunk-Search/IOC-Inputlookup/m-p/489969#M194108 to4kawa 2020-05-05T16:10:55Z https://community.splunk.com/t5/Splunk-Search/IOC-Inputlookup/m-p/489970#M194109 <P>Nice find I didn’t notice extra dot and wildcard in lookup. However you can do wildcard lookup and it is possible have a look at my answer <A href="https://answers.splunk.com/answers/596835/how-to-search-for-values-in-a-lookup-table-with-wi.html">https://answers.splunk.com/answers/596835/how-to-search-for-values-in-a-lookup-table-with-wi.html</A></P> Tue, 05 May 2020 16:46:57 GMT https://community.splunk.com/t5/Splunk-Search/IOC-Inputlookup/m-p/489970#M194109 harsmarvania57 2020-05-05T16:46:57Z