Splunk Search

How to find out if a URL contains a specific IP or host name?

Toki
Explorer

I'm using lookup but don't know how to do a partial match instead of an exact match

Example: 10.20.30.40 is in the list, and I want to get the result of URL=https://10.20.30.40~, is that possible?

Labels (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

So, you are asking about match_type=WILDCARD.  If you define lookups with configuration file, see Lookup tables; the following is an excerpt

 

 

match_type = <string>
* A comma and space-delimited list of <match_type>(<field_name>)
  specification to allow for non-exact matching
* The available match_type values are WILDCARD, CIDR, and EXACT. Only fields
  that should use WILDCARD or CIDR matching should be specified in this list.
* Default: EXACT

If you use Splunk Web, when you define a lookup, check "Advanced options", then in "Match type", enter said space-delimited list of <match_type>(<field_name>).  For example, enter

WILDCARD(URL)

View solution in original post

Tags (1)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

To paraphrase an old Linux joke, with SPL, everything is possible except brew coffee.

It all depends on what you define as "get the result of".  At the most basic level, you can do

//10.20.30.40*

This will match http://10.20.30.40, https://10.20.30.40, https://10.20.30.40/, and so on.  In fact, as the character ~ is a term boundary, you can even skip the asterisk and search

//10.20.30.40

Of course this will also match "garbage //10.20.30.40~".  To be more selective, you can try

URL=http*://10.20.30.40*

or an unlimited number of refined variants.

0 Karma

Toki
Explorer

Thank you for your answer.
I apologize for the poor way of writing.
The example "10.20.30.40" is in the csv file of the blacklist, and other IPs and host names are included, and this is a method to judge them all at once.

0 Karma

yuanliu
SplunkTrust
SplunkTrust

So, you are asking about match_type=WILDCARD.  If you define lookups with configuration file, see Lookup tables; the following is an excerpt

 

 

match_type = <string>
* A comma and space-delimited list of <match_type>(<field_name>)
  specification to allow for non-exact matching
* The available match_type values are WILDCARD, CIDR, and EXACT. Only fields
  that should use WILDCARD or CIDR matching should be specified in this list.
* Default: EXACT

If you use Splunk Web, when you define a lookup, check "Advanced options", then in "Match type", enter said space-delimited list of <match_type>(<field_name>).  For example, enter

WILDCARD(URL)
Tags (1)
0 Karma

Toki
Explorer

Thank you.
It means that you need to tweak the settings, not the search statement.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...