Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find inputlookup value in result?

jamesjung01
Explorer
‎02-01-2023 08:04 PM


| inputlookup suspicious_win_comm.csv lookup table contents has only keyword

keyword <- field name

tasklist

ver

ipconfig

net

time

systeminfo

netstat

whoami

chrome

 

I want see result like this.

 

event.commandline

matching keyword

c:\program<file:///c:/program>; files (x86)\application\chrome.exe --signal-argument http............

chrome

 

I used this spl my local system.

Index=crowdstrike
[| inputlookup suspicious_win_comm.csv
| eval event.commandline = "*".keyword."*"
| fields event.commandline
| format ]

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-02-2023 03:00 PM

@jamesjung01 

You should use a wildcard lookup

In your lookup, put * character at the start/end of the keyword in the CSV, so the keywords are

*tasklist*
*ver*

and so on.

Create a lookup definition (suspicious_win_comm) and set the Advanced lookup option "Match type" to be WILDCARD(keyword). Also make is case insensitive if you want.

and then this is your search

Index=crowdstrike
[ 
  | inputlookup suspicious_win_comm
  | rename keywords as event.commandline
  | fields event.commandline
]
| lookup suspicious_win_comm keyword as event.commandline
| eval keyword=replace(keyword, "\*", "")
| table event.commandline keyword

so this will use the lookup as a subsearch - which already has the wildcard * characters.

Then the lookup uses the definition suspicious_win_comm (NOT the CSV file) and as keyword is a wildcard match, it will match the keyword against the command line and find the relevant match.

Then it just removes the * from the keyword found in the lookup.

Reply

PaulPanther
Motivator
‎02-02-2023 12:23 AM

@jamesjung01 

1. Create a lookup definition

2. Do a field extraction on the matching keyword

3. Use command lookup in your SPL

Example:

 

| makeresults count=2 
| streamstats count 
| eval string=case(count=1,"c:\program<file:///c:/program>; files (x86)\application\chrome.exe --signal-argument http", count=2,"c:\program<file:///c:/program>; files (x86)\application\edge.exe --signal-argument http") 
| eval keyword=case(count=1, "chrome", count=2, "edge") 
| lookup keywords keyword OUTPUTNEW keyword AS keyword_lookup 
| eval match=if(keyword_lookup!="","Yes","No") 
| table keyword string match

 

Or based on your requirements check out: Solved: How do I return values that match column in Lookup... - Splunk Community

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Welcome back to Splunk Classroom Chronicles, our ongoing blog series that pulls back the curtain on Splunk ...

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...