https://community.splunk.com/t5/Splunk-Search/Check-if-domain-is-found-in-local-lookup-file-containing-over-10/m-p/665674#M228383 <P>Hi all,</P><P>I been working on new rule and I just can't get it work fully. I know that there are many similar questions/answers on the forum related to this but none of them work for me.<BR /><BR />The events contain field "TargetUserOrGroupName" containing an email address e.g.&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">TargetUserOrGroupName = testmail@gmail.com</LI-CODE><P>&nbsp;</P><P><BR />I use split and mvindex to get only email domain out of&nbsp;TargetUserOrGroupName:</P><P>&nbsp;</P><LI-CODE lang="markup">| eval email_domain = mvindex(split(TargetUserOrGroupName, "@"),1)</LI-CODE><P>&nbsp;</P><P>&nbsp;<BR />Then I want to check if "email_domain" is in lookup "free_email_domains.csv"<BR /><BR />I was able to get this easily working (partial) with sub search and inputlookup</P><P>&nbsp;</P><LI-CODE lang="markup">| search email_domain=* [|inputlookup free_email_domains.csv.csv | fields email_domain]</LI-CODE><P><BR />But there is issue with getting all data as sub-search returns only 10 000 entries resulting in free email domains not being in first 10k rows are not matched.<BR /><BR />The local csv file contains only column email_domains (i did added "is_free_domain" column with value "Yes" in lookup while testing but it can be removed if not needed)<BR /><BR />Any help is welcome as I cant get lookup command to work (maybe due to additional extracting of field value)</P><P>&nbsp;</P> Fri, 20 Oct 2023 13:15:55 GMT licroBI_0x1 2023-10-20T13:15:55Z https://community.splunk.com/t5/Splunk-Search/Check-if-domain-is-found-in-local-lookup-file-containing-over-10/m-p/665674#M228383 <P>Hi all,</P><P>I been working on new rule and I just can't get it work fully. I know that there are many similar questions/answers on the forum related to this but none of them work for me.<BR /><BR />The events contain field "TargetUserOrGroupName" containing an email address e.g.&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">TargetUserOrGroupName = testmail@gmail.com</LI-CODE><P>&nbsp;</P><P><BR />I use split and mvindex to get only email domain out of&nbsp;TargetUserOrGroupName:</P><P>&nbsp;</P><LI-CODE lang="markup">| eval email_domain = mvindex(split(TargetUserOrGroupName, "@"),1)</LI-CODE><P>&nbsp;</P><P>&nbsp;<BR />Then I want to check if "email_domain" is in lookup "free_email_domains.csv"<BR /><BR />I was able to get this easily working (partial) with sub search and inputlookup</P><P>&nbsp;</P><LI-CODE lang="markup">| search email_domain=* [|inputlookup free_email_domains.csv.csv | fields email_domain]</LI-CODE><P><BR />But there is issue with getting all data as sub-search returns only 10 000 entries resulting in free email domains not being in first 10k rows are not matched.<BR /><BR />The local csv file contains only column email_domains (i did added "is_free_domain" column with value "Yes" in lookup while testing but it can be removed if not needed)<BR /><BR />Any help is welcome as I cant get lookup command to work (maybe due to additional extracting of field value)</P><P>&nbsp;</P> Fri, 20 Oct 2023 13:15:55 GMT https://community.splunk.com/t5/Splunk-Search/Check-if-domain-is-found-in-local-lookup-file-containing-over-10/m-p/665674#M228383 licroBI_0x1 2023-10-20T13:15:55Z https://community.splunk.com/t5/Splunk-Search/Check-if-domain-is-found-in-local-lookup-file-containing-over-10/m-p/665699#M228389 <P>To determine if a given field value is in a lookup file, use the <FONT face="courier new,courier">lookup</FONT> command.</P><P>&nbsp;</P><LI-CODE lang="markup">| eval email_domain = mvindex(split(TargetUserOrGroupName, "@"),1) | lookup free_email_domains.csv.csv email_domain OUTPUT is_free_domain ``` If email_domain is not in the lookup file then is_free_domain will be null ``` | where isnotnull(is_free_domain)</LI-CODE><P>&nbsp;</P> Fri, 20 Oct 2023 15:25:36 GMT https://community.splunk.com/t5/Splunk-Search/Check-if-domain-is-found-in-local-lookup-file-containing-over-10/m-p/665699#M228389 richgalloway 2023-10-20T15:25:36Z https://community.splunk.com/t5/Splunk-Search/Check-if-domain-is-found-in-local-lookup-file-containing-over-10/m-p/665830#M228451 <P>Hi&nbsp;<SPAN>richgalloway,</SPAN></P><P>Thank you for reply, I did try as you suggested with lookup command and it didn't work but....</P><P>Because of you response I went and tried it again, this time utilizing lower() option and finding it work <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P><P>Thank you for help&nbsp;<span class="lia-unicode-emoji" title=":flexed_biceps:">💪</span></P> Mon, 23 Oct 2023 10:14:41 GMT https://community.splunk.com/t5/Splunk-Search/Check-if-domain-is-found-in-local-lookup-file-containing-over-10/m-p/665830#M228451 licroBI_0x1 2023-10-23T10:14:41Z