Re: corellation search for below scenerio

vikram1583 · ‎12-04-2019

| tstats summariesonly max(time) as _time,values(Web.http_method) as http_method,values(Web.status) as status,count from datamodel=Web.Web where * (Web.url="*") by sourcetype,Web.src,Web.dest,Web.url
| drop_dm_object_name("Web")
| fields _time,sourcetype,http_method,status,src,dest,url,count
| regex url="http:\/\/[^\x2f]+\/([a-z]{3,}[-]){3}[a-z]+\/[0-9]{15,20}" in my lookup table I have 10 to 15 URL and each URL having malware name

can some on help me how I can write search as far as I know we can use map command

Lookup Table

URL malwareName
xxxxxxxxxxxxxx AnglerEK
xxxxxxxxxxxxx xxxxxxxxx
zzzzzzzzzzzzzz xxxxxxxxxx

zacharychristen · ‎12-04-2019

If I understand your question correctly, you are trying to output the "malwareName" from a lookup table that matches the "url" field, correct?

If so, this can be accomplished with the lookup command. You will first have to make sure your lookup table has a lookup definition configured (settings > lookups > lookup definitions).

Next you can use your lookup in the search. https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Lookup

| tstats `summariesonly` max(_time) as _time,values(Web.http_method) as http_method,values(Web.status) as status,count from datamodel=Web.Web where (Web.url="") by sourcetype,Web.src,Web.dest,Web.url
| `drop_dm_object_name("Web")`
| regex url="http:\/\/[^\x2f]+\/([a-z]{3,}[-]){3}[a-z]+\/[0-9]{15,20}" 
| lookup YOUR_LOOKUP_DEFINITION url OUTPUTNEW malwareName

vikram1583 · ‎12-05-2019

No in lookup i have 10 to 15 URLs in the place of regex url it should search all the list of urls in lookup

corellation search for below scenerio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms