data model and lookup table

AbubakarShahid · ‎05-16-2018

How do I run my list of IOC from my lookup table against a web datamodel by using tstats.
I can do the regular IOC lookup table against the indexes and it work perfectly fine, however, it just take a lot of memory.
It would be help if some one knows how to run csv or kv to compare it with datamodel.

HiroshiSatoh · ‎05-17-2018

Try this!

|tstats count from datamodel=Web where [| inputlookup http_intel.csv | fields url | rename url as Web.url]  by Web.url

xpac · ‎05-16-2018

Could you give an example what you're already doing, your data, your lookup, your expected output, etc?

AbubakarShahid · ‎05-16-2018

data model and lookup table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

data model and lookup table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future