Knowledge Management

How can i use a lookup table for a partial match against an index?

dusoldkai
New Member

What i wanted to do is a simple search in our Proxy logs to find accesses to known bad Domain names. Currently we do not have the threatintelligence-app installed.

I created a lookup table that only consists of one column called murl containing domain names hosting malicious sites.

| inputlookup table.csv produces a simple list

covidcyphers.com
covid19sci.com
suite401-covid19.com
covid-taskforce.com
titan-covid19.online

if i use that as a lookup in a search i do not get Matches, also when i use Domains included in the log.

index="proxy" | eval murl=url | lookup table.csv murl AS url OUTPUTNEW murl AS new| where dst like new
(i tryed also "%new%" and Things alike)

I then tryed to use inputlookup in a subsearch instead:

index="proxy" url !="" [inputlookup table.csv where url in(murl) ]

and it told me that the in function Needs a list of strings concatenated by commatas strin1,string2,string4

so i experimented with the Format/return (1000 $murl) commands

index="proxy" where url IN([inputlookup table.csv| fields murl| format "" "" "," "" "" ""])

but did not reach my Goal …

Is there a way to change the inputlookup result into a comma separated list to be used in the IN-function ?
Or does anybody have a search command that can do a partial match by a list of values provided by a lookup table ?

Thank you very much

Kai

Labels (1)
0 Karma
1 Solution

manjunathmeti
Champion

Try this:

index="proxy" [ | inputlookup table.csv | eval url="*".murl."*" | fields url | format]

View solution in original post

0 Karma

manjunathmeti
Champion

Try this:

index="proxy" [ | inputlookup table.csv | eval url="*".murl."*" | fields url | format]
0 Karma

dusoldkai
New Member

Thank you very much ! I thought it must be very easy 😉

0 Karma
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...