How come URLs in my lookup table are not working?

VanyBerg · ‎03-06-2019

Greetings everyone!

I have a question concerning a CSV lookup table with domains in it, which sadly does not work.

To be more precise:

I got a lookup table I created with the Lookup editor with the following example entry and a single column called URL:

.trendmicro.com

A simple | inputlookup file.csv will display that value correctly. If I try to use this list in a search though, it just ignores it.

Here is my example search:

index=dns NOT 
  [ | inputlookup file.csv
    | fields url ]

Is there any restriction in how an entry must be formatted to be accepted? *.trendmicro.com or trendmicro.com won't work either.

I just don't get what I am doing wrong since the contents of the file can be displayed.

Thanks alot! Help is much appreciated.

Best regards,

VB

nickhills · ‎03-06-2019

Personally I would reformat the CSV like this:

domain, ignore
*trendmicro.com,true

In the lookup configuration, create a lookup definition and ensure wildcard matching is enabled (its not by default!)

then you can do:

"whatever your search providing a field called domain"|lookup ignored_domains domain OUTPUT ignore|where ignore!="true"

If my comment helps, please give it a thumbs up!

Are you a member of the Splunk Community?