Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

corellation search for below scenerio

vikram1583
Explorer
‎12-04-2019 10:24 AM

| tstats summariesonly max(time) as _time,values(Web.http_method) as http_method,values(Web.status) as status,count from datamodel=Web.Web where * (Web.url="*") by sourcetype,Web.src,Web.dest,Web.url
| drop_dm_object_name("Web")
| fields _time,sourcetype,http_method,status,src,dest,url,count
| regex url="http:\/\/[^\x2f]+\/([a-z]{3,}[-]){3}[a-z]+\/[0-9]{15,20}" in my lookup table I have 10 to 15 URL and each URL having malware name

can some on help me how I can write search as far as I know we can use map command

Lookup Table

URL malwareName
xxxxxxxxxxxxxx AnglerEK
xxxxxxxxxxxxx xxxxxxxxx
zzzzzzzzzzzzzz xxxxxxxxxx

0 Karma
Reply

zacharychristen
Path Finder
‎12-04-2019 07:55 PM

If I understand your question correctly, you are trying to output the "malwareName" from a lookup table that matches the "url" field, correct?

If so, this can be accomplished with the lookup command. You will first have to make sure your lookup table has a lookup definition configured (settings > lookups > lookup definitions).

Next you can use your lookup in the search. https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Lookup

| tstats `summariesonly` max(_time) as _time,values(Web.http_method) as http_method,values(Web.status) as status,count from datamodel=Web.Web where (Web.url="") by sourcetype,Web.src,Web.dest,Web.url
| `drop_dm_object_name("Web")`
| regex url="http:\/\/[^\x2f]+\/([a-z]{3,}[-]){3}[a-z]+\/[0-9]{15,20}" 
| lookup YOUR_LOOKUP_DEFINITION url OUTPUTNEW malwareName
0 Karma
Reply

vikram1583
Explorer
‎12-05-2019 03:46 PM

No in lookup i have 10 to 15 URLs in the place of regex url it should search all the list of urls in lookup

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...