| inputlookup suspicious_win_comm.csv lookup table contents has only keyword
keyword <- field name |
tasklist |
ver |
ipconfig |
net |
time |
systeminfo |
netstat |
whoami |
chrome |
I want see result like this.
event.commandline |
matching keyword |
c:\program<file:///c:/program>; files (x86)\application\chrome.exe --signal-argument http............ |
chrome |
I used this spl my local system.
Index=crowdstrike
[| inputlookup suspicious_win_comm.csv
| eval event.commandline = "*".keyword."*"
| fields event.commandline
| format ]
You should use a wildcard lookup
In your lookup, put * character at the start/end of the keyword in the CSV, so the keywords are
*tasklist*
*ver*
and so on.
Create a lookup definition (suspicious_win_comm) and set the Advanced lookup option "Match type" to be WILDCARD(keyword). Also make is case insensitive if you want.
and then this is your search
Index=crowdstrike
[
| inputlookup suspicious_win_comm
| rename keywords as event.commandline
| fields event.commandline
]
| lookup suspicious_win_comm keyword as event.commandline
| eval keyword=replace(keyword, "\*", "")
| table event.commandline keyword
so this will use the lookup as a subsearch - which already has the wildcard * characters.
Then the lookup uses the definition suspicious_win_comm (NOT the CSV file) and as keyword is a wildcard match, it will match the keyword against the command line and find the relevant match.
Then it just removes the * from the keyword found in the lookup.
1. Create a lookup definition
2. Do a field extraction on the matching keyword
3. Use command lookup in your SPL
Example:
| makeresults count=2
| streamstats count
| eval string=case(count=1,"c:\program<file:///c:/program>; files (x86)\application\chrome.exe --signal-argument http", count=2,"c:\program<file:///c:/program>; files (x86)\application\edge.exe --signal-argument http")
| eval keyword=case(count=1, "chrome", count=2, "edge")
| lookup keywords keyword OUTPUTNEW keyword AS keyword_lookup
| eval match=if(keyword_lookup!="","Yes","No")
| table keyword string match
Or based on your requirements check out: Solved: How do I return values that match column in Lookup... - Splunk Community