Getting Data In

How to create automatic wildcard lookups against more than one field in a CSV file?

psidler
Explorer

Hi,

I have defined a Automatic Lookup to a CSV File with several values per line.
I would create automatic wildcard lookups against more than one field in the csv. Is this possible?

I have tried the following but not successful:

props.conf

[squid]
LOOKUP-MandiantAPT = MandiantAPT domain AS uri_host OUTPUTNEW
LOOKUP-MandiantAPT = MandiantAPT filename AS uri_path OUTPUTNEW

transforms.conf

[MandiantAPT]
filename = mandiant-apt.csv
case_sensitive_match=false
match_type = WILDCARD(domain)
match_type = WILDCARD(filename)

mandiant-apt.csv

domain,description,isbad,md5,filename,filesize,stringlist
"*advanbusiness.com*","Mandiant APT",true,"*001dd76872d80801692ff942308c64e6*","*121.exe*","*10233*","*!@#%$^#@!*"
"*aoldaily.com*","Mandiant APT",true,"*002325a0a67fded0381b5648d7fe9b8e*","*162.exe*","*10240*","*@***@*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*"

Has anyone an idea? Thank you in advance for your help.
Regards,
Patrik

1 Solution

gkanapathy
Splunk Employee
Splunk Employee

You should just set up two different lookups (pointing to the same file)

[squid]
LOOKUP-MandiantAPTd = MandiantAPTd domain AS uri_host OUTPUTNEW
LOOKUP-MandiantAPTf = MandiantAPTf filename AS uri_path OUTPUTNEW

[MandiantAPTd]
filename = mandiant-apt.csv
case_sensitive_match=false
match_type = WILDCARD(domain)

[MandiantAPTf]
filename = mandiant-apt.csv
case_sensitive_match=false
match_type = WILDCARD(filename)

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

You should just set up two different lookups (pointing to the same file)

[squid]
LOOKUP-MandiantAPTd = MandiantAPTd domain AS uri_host OUTPUTNEW
LOOKUP-MandiantAPTf = MandiantAPTf filename AS uri_path OUTPUTNEW

[MandiantAPTd]
filename = mandiant-apt.csv
case_sensitive_match=false
match_type = WILDCARD(domain)

[MandiantAPTf]
filename = mandiant-apt.csv
case_sensitive_match=false
match_type = WILDCARD(filename)

psidler
Explorer

Works perfect!
Thank you for your help. Patrik

0 Karma

gunzola
Path Finder

Can also be done in the same lookup definition as..
example:
[MandiantAPT]
filename = mandiant-apt.csv
case_sensitive_match=false
match_type = WILDCARD(domain),WILDCARD(filename)

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...