Now I want to check if a clients looks up a malware domain. The problem is that the value from dnsdomain is not always the same as the value from malwaredomain. It's more likely that the malwaredomain is a "substring" from the dnsdomain or the dnsdomain contains the malwaredomain.
I tried populating all the values from the malwaredomains index with a subsearch and compare is with the value of the dnsdomain in the other search. But that is nit working:
index = dns dns_domain= * [search index=security_intelligence sourcetype=security:intelligence:malwaredomains | fields malware_domain,malware_type] | table dns_client malware_domain_full malware_type | eval or where clause to check if there is a match.
For a concrete example of how this works, take a look at this PDF that walks through using URL Toolbox to check entropy of subdomains (toward the end, just search for entropy) with step-by-step examples. You can go through the first few steps to actually extract out the pieces you're looking for. https://splunk.box.com/v/SplunkLive2016ScottsdaleSec