Dear Splunk Experts,
I have very little experience on Splunk, need your help with my search.
I have a lookup with list of malicious domains and URLs. I need to get alerted if accessed URL contains any of the domains or URL's in lookup.
My below search isn't working!
index=paloalto
|search [inputlookup domains.csv | fields url ]
Maybe this will match only when URL is the same as in the list. Please help!
Also, we have datamodel related 'networktraffic' and 'paloalto'.. But I don't know how to use them 😞
Regards,
Anil A
Hi @anil_ec21,
try something like this:
index=paloalto [ | inputlookup domains.csv | rename url AS query | fields query ]
| ...
In this way you run a full text search on the index using all the records of the lookup url field.
Ciao.
Giuseppe
Hi @anil_ec21,
try something like this:
index=paloalto [ | inputlookup domains.csv | rename url AS query | fields query ]
| ...
In this way you run a full text search on the index using all the records of the lookup url field.
Ciao.
Giuseppe
Thank you very much for quick reply! It worked 🙂
My lookup csv file contains as below --
IOC
xyz.com
1.2.3.4.com/something
www.abc.com/page
and so on..!