Scenario: I am matching dns queries to the domains listed in malware_domainsdm.csv. The .csv has multiple fields that I want to display after it matches the dns query domain to the malware domains.
Here is the search I am currently using, it displays the all .csv fields (column headers) but no values.
index=DNSlogs | eval reformattedDomain = replace(replace(questionname,"\(\d+\)","."),"\.(.*)\.","\1")
| stats count by reformattedDomain
| lookup malware_domainsdm.csv domain AS reformattedDomain
| eval domainmatch=if(reformatedDomain==domain, "bad", "good")
Please provide an example, thank you
You mean something like
|lookup malware_domainsdm.csv domain AS reformattedDomain OUTPUT FieldX FieldY FieldZ
Not quite what else you are asking for but the lookup command without OUTPUT should already output all fields by default.
You mean something like
|lookup malware_domainsdm.csv domain AS reformattedDomain OUTPUT FieldX FieldY FieldZ
Not quite what else you are asking for but the lookup command without OUTPUT should already output all fields by default.
Hi Ryan, you are correct with your answer and I apologize for the confusion on this question. I did not properly test a matching condition. When a matching condition occurs all fields populate. Thank you for your help.