Greetings everyone!
I have a question concerning a CSV lookup table with domains in it, which sadly does not work.
To be more precise:
I got a lookup table I created with the Lookup editor with the following example entry and a single column called URL:
.trendmicro.com
A simple | inputlookup file.csv
will display that value correctly. If I try to use this list in a search though, it just ignores it.
Here is my example search:
index=dns NOT
[ | inputlookup file.csv
| fields url ]
Is there any restriction in how an entry must be formatted to be accepted? *.trendmicro.com or trendmicro.com won't work either.
I just don't get what I am doing wrong since the contents of the file can be displayed.
Thanks alot! Help is much appreciated.
Best regards,
VB
Personally I would reformat the CSV like this:
domain, ignore
*trendmicro.com,true
In the lookup configuration, create a lookup definition and ensure wildcard matching is enabled (its not by default!)
then you can do:
"whatever your search providing a field called domain"|lookup ignored_domains domain OUTPUT ignore|where ignore!="true"