Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me with a lookuptable question?

adabud6267
Explorer
‎01-09-2019 07:44 AM

Hello all,

I have indexed data that contains an extracted field (domain) and a CSV (https.csv) file with the following headers URL,IP,Location_Code,Location_Name. I'd like to return ONLY events that concern the domains in the CSV files. 

| lookup https URL as domain OUTPUT IP, Location_Code, Location_Name

Would the above return only the events where the domain fields values match the values under the URL header in my CSV file?

Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-09-2019 08:09 AM

Hi adabud6267,
try something like this:

index=domain [ | inputlookup https | rename URL as domain | fields domain ]
| ...

beware that the field name (domain) must be the same in main search and subsearch.

If you want to run the search with a substring of URL field, you have to extract it using substr function or a regex.

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-09-2019 08:09 AM

Hi adabud6267,
try something like this:

index=domain [ | inputlookup https | rename URL as domain | fields domain ]
| ...

beware that the field name (domain) must be the same in main search and subsearch.

If you want to run the search with a substring of URL field, you have to extract it using substr function or a regex.

Bye.
Giuseppe

Reply
Solved! Jump to solution

adabud6267
Explorer
‎01-22-2019 12:06 AM

Hello @cusello

Thank you for your answer! It works. Please tell me on thing.

will www.domain-foo.com match domain-foo.com ?

Also it appears, that I cannot use the fields from the csv file as I would do it with the lookup command. I'd like to add a column containing the city code from the CSV file if a domain match is found.

Thank you and I appreciate your help !

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-23-2019 05:53 AM

To match a substring, you can use "*" at the beginning and the end of the string in you search.
Otherwise, in you search you can use

index=domain [ | inputlookup https | rename URL as query | fields query ]
| ...

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-22-2019 05:37 AM

@adabud6267 If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...