| tstats summariesonly
max(time) as _time,values(Web.http_method) as http_method,values(Web.status) as status,count from datamodel=Web.Web where * (Web.url="*") by sourcetype,Web.src,Web.dest,Web.url
| drop_dm_object_name("Web")
| fields _time,sourcetype,http_method,status,src,dest,url,count
| regex url="http:\/\/[^\x2f]+\/([a-z]{3,}[-]){3}[a-z]+\/[0-9]{15,20}" in my lookup table I have 10 to 15 URL and each URL having malware name
can some on help me how I can write search as far as I know we can use map command
Lookup Table
URL malwareName
xxxxxxxxxxxxxx AnglerEK
xxxxxxxxxxxxx xxxxxxxxx
zzzzzzzzzzzzzz xxxxxxxxxx
If I understand your question correctly, you are trying to output the "malwareName" from a lookup table that matches the "url" field, correct?
If so, this can be accomplished with the lookup
command. You will first have to make sure your lookup table has a lookup definition configured (settings > lookups > lookup definitions).
Next you can use your lookup in the search. https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Lookup
| tstats `summariesonly` max(_time) as _time,values(Web.http_method) as http_method,values(Web.status) as status,count from datamodel=Web.Web where (Web.url="") by sourcetype,Web.src,Web.dest,Web.url
| `drop_dm_object_name("Web")`
| regex url="http:\/\/[^\x2f]+\/([a-z]{3,}[-]){3}[a-z]+\/[0-9]{15,20}"
| lookup YOUR_LOOKUP_DEFINITION url OUTPUTNEW malwareName
No in lookup i have 10 to 15 URLs in the place of regex url it should search all the list of urls in lookup