corellation search for below scenerio

vikram1583 · ‎12-04-2019

| tstats summariesonly max(time) as _time,values(Web.http_method) as http_method,values(Web.status) as status,count from datamodel=Web.Web where * (Web.url="*") by sourcetype,Web.src,Web.dest,Web.url
| drop_dm_object_name("Web")
| fields _time,sourcetype,http_method,status,src,dest,url,count
| regex url="http:\/\/[^\x2f]+\/([a-z]{3,}[-]){3}[a-z]+\/[0-9]{15,20}" in my lookup table I have 10 to 15 URL and each URL having malware name

can some on help me how I can write search as far as I know we can use map command

Lookup Table

URL malwareName
xxxxxxxxxxxxxx AnglerEK
xxxxxxxxxxxxx xxxxxxxxx
zzzzzzzzzzzzzz xxxxxxxxxx

zacharychristen · ‎12-04-2019

If I understand your question correctly, you are trying to output the "malwareName" from a lookup table that matches the "url" field, correct?

If so, this can be accomplished with the lookup command. You will first have to make sure your lookup table has a lookup definition configured (settings > lookups > lookup definitions).

Next you can use your lookup in the search. https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Lookup

| tstats `summariesonly` max(_time) as _time,values(Web.http_method) as http_method,values(Web.status) as status,count from datamodel=Web.Web where (Web.url="") by sourcetype,Web.src,Web.dest,Web.url
| `drop_dm_object_name("Web")`
| regex url="http:\/\/[^\x2f]+\/([a-z]{3,}[-]){3}[a-z]+\/[0-9]{15,20}" 
| lookup YOUR_LOOKUP_DEFINITION url OUTPUTNEW malwareName

vikram1583 · ‎12-05-2019

No in lookup i have 10 to 15 URLs in the place of regex url it should search all the list of urls in lookup

corellation search for below scenerio

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!