Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

data model and lookup table

AbubakarShahid
New Member
‎05-16-2018 12:51 PM

How do I run my list of IOC from my lookup table against a web datamodel by using tstats.
I can do the regular IOC lookup table against the indexes and it work perfectly fine, however, it just take a lot of memory.
It would be help if some one knows how to run csv or kv to compare it with datamodel.

Tags (1)
0 Karma
Reply

HiroshiSatoh
Champion
‎05-17-2018 07:40 AM

Try this!

|tstats count from datamodel=Web where [| inputlookup http_intel.csv | fields url | rename url as Web.url]  by Web.url
0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎05-16-2018 01:09 PM

Could you give an example what you're already doing, your data, your lookup, your expected output, etc?

0 Karma
Reply

AbubakarShahid
New Member
‎05-16-2018 01:54 PM

for example here is a very basic search i am running
|tstats count from datamodel=Web by Web.url
| search
[| inputlookup http_intel
| fields url
| rename url as Web.url]

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...