Solved: May I have a help to configure wildcard usage in l...

AlexeySh · ‎06-07-2018

Hello,

I’d like to configure a wildcard usage for a lookup table, but unfortunately I’m not a Splunk guru and probably need a hand.

I have a lookup called "malware_domain_whitelist" with the URLs I’d like to whitelist for the standard Enterprise Security correlation search “Threat Activity Detected”. The lookup looks like this:

url      | whitelisted
url1.com | true
url2.org | true
url3.net | true
Etc.

I would like to use wildcard with ‘url’ column in order to add to the correlation search lines like:

| lookup malware_domain_whitelist url OUTPUT whitelisted
| search NOT whitelisted=”true”

I have two questions please:

First: if I understood correctly, I have to modify the transform.conf. But should I modify transform.conf on $SPLUNK_HOME/etc/system/default/ or should I create a copy on $SPLUNK_HOME/etc/system/local/?

Second: I’m not exactly sure about the modification I should write. Could you please correct the mistakes:

[malware_domain_whitelist]
Filename= malware_domain_whitelist.csv
match_type = WILDCARD(url)

Is there is something else I should do?

Thanks for the help!
Regards.

rlalwani_splunk · ‎06-07-2018

The lookup definition contains "Filename" which is invalid, it should be all in lower case.
You should modify the transforms.conf inside etc\apps\app_name, not of the system local or default.

View solution in original post

rlalwani_splunk · ‎06-07-2018

The lookup definition contains "Filename" which is invalid, it should be all in lower case.
You should modify the transforms.conf inside etc\apps\app_name, not of the system local or default.

AlexeySh · ‎06-08-2018

Great!
Thanks for the help.

May I have a help to configure wildcard usage in lookup table?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!