https://community.splunk.com/t5/Splunk-Search/Looking-to-see-if-a-string-is-present-in-another-search/m-p/270444#M81394 <P>Yes, so would your <CODE>map</CODE> search.</P> Mon, 12 Oct 2015 20:48:03 GMT martin_mueller 2015-10-12T20:48:03Z https://community.splunk.com/t5/Splunk-Search/Looking-to-see-if-a-string-is-present-in-another-search/m-p/270440#M81390 <P>I'm looking through DNS logs in one index. They are normal DNS logs, so they have the normal query containing the host+domain. I have threat data which just has the domain in another index. </P> <PRE><CODE>index=main sourcetype=dns | map search="index=sec u_type=domain u_status=Active earliest=0 latest=now u_indicator=$domain$" </CODE></PRE> <P>above is what i've come up with so far, but it doesn't seem to work. Am I looking at this wrong? I want to make sure that if the domain in the threat data exist at all in the dns domain data, then I get a alert. </P> <P>Any suggestions?</P> Mon, 12 Oct 2015 19:06:14 GMT https://community.splunk.com/t5/Splunk-Search/Looking-to-see-if-a-string-is-present-in-another-search/m-p/270440#M81390 wweiland 2015-10-12T19:06:14Z https://community.splunk.com/t5/Splunk-Search/Looking-to-see-if-a-string-is-present-in-another-search/m-p/270441#M81391 <P>If the number of threat domains is manageable, you can do something like this:</P> <PRE><CODE>index=main sourcetype=dns [search index=sec u_type=domain u_status=Active earliest=0 latest=now | dedup u_indicator | fields u_indicator | rename u_indicator as domain] </CODE></PRE> <P>If the number is larger, consider moving it to a lookup.</P> Mon, 12 Oct 2015 19:56:22 GMT https://community.splunk.com/t5/Splunk-Search/Looking-to-see-if-a-string-is-present-in-another-search/m-p/270441#M81391 martin_mueller 2015-10-12T19:56:22Z https://community.splunk.com/t5/Splunk-Search/Looking-to-see-if-a-string-is-present-in-another-search/m-p/270442#M81392 <P>When you are using map, it is better to have a deduplicated list of the values you want to map.</P> <P>For example:</P> <PRE><CODE>index=main sourcetype=dns | dedup domain | table domain | map search="index=sec u_type=domain u_status=Active earliest=0 latest=now u_indicator=$domain$" </CODE></PRE> <P>Another way you could do it would be using the <CODE>set</CODE> command:</P> <PRE><CODE>| set intersect [ index=main sourcetype=dns | fields - _* | fields domain] [ index=sec u_type=domain u_status=Active | fields - _* | fields u_indicator] </CODE></PRE> <P>Which I personally find a little clearer.</P> <HR /> <P>Please remember - subsearches have limits - please look at sideview's answer <A href="https://answers.splunk.com/answers/207150/how-to-overcome-sub-search-limitation-only-10k-rec.html">here</A> for an example of using lookups.</P> Mon, 12 Oct 2015 20:00:19 GMT https://community.splunk.com/t5/Splunk-Search/Looking-to-see-if-a-string-is-present-in-another-search/m-p/270442#M81392 aljohnson_splun 2015-10-12T20:00:19Z https://community.splunk.com/t5/Splunk-Search/Looking-to-see-if-a-string-is-present-in-another-search/m-p/270443#M81393 <P>Would this only trigger if the domain exactly matches the u_indicator?</P> Mon, 12 Oct 2015 20:39:07 GMT https://community.splunk.com/t5/Splunk-Search/Looking-to-see-if-a-string-is-present-in-another-search/m-p/270443#M81393 wweiland 2015-10-12T20:39:07Z https://community.splunk.com/t5/Splunk-Search/Looking-to-see-if-a-string-is-present-in-another-search/m-p/270444#M81394 <P>Yes, so would your <CODE>map</CODE> search.</P> Mon, 12 Oct 2015 20:48:03 GMT https://community.splunk.com/t5/Splunk-Search/Looking-to-see-if-a-string-is-present-in-another-search/m-p/270444#M81394 martin_mueller 2015-10-12T20:48:03Z https://community.splunk.com/t5/Splunk-Search/Looking-to-see-if-a-string-is-present-in-another-search/m-p/270445#M81395 <P>Can you think of a way I can write it so that if u_indicator is in any part of domain it would trigger? I was trying to think of how to use the if(match) but I can't seem to come up with the way.</P> Mon, 12 Oct 2015 20:53:38 GMT https://community.splunk.com/t5/Splunk-Search/Looking-to-see-if-a-string-is-present-in-another-search/m-p/270445#M81395 wweiland 2015-10-12T20:53:38Z https://community.splunk.com/t5/Splunk-Search/Looking-to-see-if-a-string-is-present-in-another-search/m-p/270446#M81396 <P>Yeah, but it might be very slow:</P> <PRE><CODE>index=main sourcetype=dns [search index=sec u_type=domain u_status=Active earliest=0 latest=now | dedup u_indicator | fields u_indicator | rename u_indicator as domain | eval domain = "*".domain."*"] </CODE></PRE> Mon, 12 Oct 2015 21:35:28 GMT https://community.splunk.com/t5/Splunk-Search/Looking-to-see-if-a-string-is-present-in-another-search/m-p/270446#M81396 martin_mueller 2015-10-12T21:35:28Z https://community.splunk.com/t5/Splunk-Search/Looking-to-see-if-a-string-is-present-in-another-search/m-p/270447#M81397 <P>With the lookup-based approach, you can set the lookup to match using wildcards and include those asterisks in the lookup.</P> Mon, 12 Oct 2015 21:36:06 GMT https://community.splunk.com/t5/Splunk-Search/Looking-to-see-if-a-string-is-present-in-another-search/m-p/270447#M81397 martin_mueller 2015-10-12T21:36:06Z https://community.splunk.com/t5/Splunk-Search/Looking-to-see-if-a-string-is-present-in-another-search/m-p/270448#M81398 <P>Thank you kind sir. That works like a charm.</P> Mon, 12 Oct 2015 21:51:51 GMT https://community.splunk.com/t5/Splunk-Search/Looking-to-see-if-a-string-is-present-in-another-search/m-p/270448#M81398 wweiland 2015-10-12T21:51:51Z https://community.splunk.com/t5/Splunk-Search/Looking-to-see-if-a-string-is-present-in-another-search/m-p/270449#M81399 <P>It also occurred to me that I could output the threat data to outputcsv and then do the same query against inputcsv? Can I still do the eval if I do that?</P> Wed, 14 Oct 2015 15:27:07 GMT https://community.splunk.com/t5/Splunk-Search/Looking-to-see-if-a-string-is-present-in-another-search/m-p/270449#M81399 wweiland 2015-10-14T15:27:07Z https://community.splunk.com/t5/Splunk-Search/Looking-to-see-if-a-string-is-present-in-another-search/m-p/270450#M81400 <P>evals are interpreted before lookups, but if they are in separate queries, should be no problem.</P> Thu, 15 Oct 2015 01:59:12 GMT https://community.splunk.com/t5/Splunk-Search/Looking-to-see-if-a-string-is-present-in-another-search/m-p/270450#M81400 mreynov_splunk 2015-10-15T01:59:12Z https://community.splunk.com/t5/Splunk-Search/Looking-to-see-if-a-string-is-present-in-another-search/m-p/270451#M81401 <P>So the query works as written, but I ran into the problem that you suspected I would have. Trying to compare 50k threat domains to each record with a wildcard is taking 8 mins for a 15 min period. The only way I can think to resolve the problem would be to use a custom search command and drop it to python with dictionaries. Problem is, I don't control the Splunk back-end and can't add custom commands easily. Any suggestions on what I could do within native Splunk? Would lookup tables be faster than inputcsv?</P> Thu, 15 Oct 2015 16:18:09 GMT https://community.splunk.com/t5/Splunk-Search/Looking-to-see-if-a-string-is-present-in-another-search/m-p/270451#M81401 wweiland 2015-10-15T16:18:09Z